smtpd_discard_ehlo_keyword_address_maps support for hostnames

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd_discard_ehlo_keyword_address_maps support for hostnames

Nikk
Hi all,

Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):

“The tables are not searched by hostname for robustness reasons.”

Is it possible to describe what these reasons are? (performance related?)

Is it worth adding a new parameter that performs the same functionality on hostnames? (and if left empty it doesn't perform any checks).

Many thanks,

Nik Kostaras

Team Leader

[Telephone] +44 118 903 8635

[Twitter]@clearswift

[Clearswift] <http://www.clearswift.com/>

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom


Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint. On-premise and Hosted deployment options available.

Participate in our latest series of webinars focussing on today’s cyber security concerns. View them here<https://www.clearswift.com/company/events/webinars>.

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Wietse Venema
Nik Kostaras:
> Hi all,
>
> Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
>
> ?The tables are not searched by hostname for robustness reasons.?
>
> Is it possible to describe what these reasons are? (performance related?)

Ask the question: if DNS lookup does not work, even if only for a
brief time, would that result in the loss of mail?

The purpose of this feature is to prevent a server from announcing
a feature to an SMTP client, for example because it would result
in the loss of mail (a client has a problem with that feature).

What should happen:

a) Don't suppress keywords based on hostname, and risk losing mail.

b) Don't accept mail, to avoid loss of mail.

c) Something else?

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Nikk
Hi Wietse,

Very good question!
From my point of view I'd like to have the ability to chose whether to enable this filtering option (separately from the existing IP filtering),
acknowledging the risks of mail loss (with a "Here be dragons" warning in the documentation).

 If you are interested I can send a patch with a new config option.

Many thanks,
Nik Kostaras

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Wietse Venema
Sent: 11 September 2017 16:57
To: Postfix users <[hidden email]>
Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Nik Kostaras:
> Hi all,
>
> Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
>
> ?The tables are not searched by hostname for robustness reasons.?
>
> Is it possible to describe what these reasons are? (performance
> related?)

Ask the question: if DNS lookup does not work, even if only for a brief time, would that result in the loss of mail?

The purpose of this feature is to prevent a server from announcing a feature to an SMTP client, for example because it would result in the loss of mail (a client has a problem with that feature).

What should happen:

a) Don't suppress keywords based on hostname, and risk losing mail.

b) Don't accept mail, to avoid loss of mail.

c) Something else?

        Wietse

----------------------------------------------------------------------------------------------
Message Processed by the Clearswift R&D Dogfood Secure Email Gateway V4.7.0

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Wietse Venema
Oh, and what should happen when the host has multiple PTR records
that properly satisfy the reverse/forward name check?  Postfix picks
only one, and it may not pick the same one every time..

Writing code is easy, what about writing first the documentation
how this is supposed to behave?

If a feature needs more text for its limitations than for its
functionality, then perhaps that is a sign of a problematic feature?

        Wietse

Nik Kostaras:

> Hi Wietse,
>
> Very good question!
> >From my point of view I'd like to have the ability to chose whether to enable this filtering option (separately from the existing IP filtering),
> acknowledging the risks of mail loss (with a "Here be dragons" warning in the documentation).
>
>  If you are interested I can send a patch with a new config option.
>
> Many thanks,
> Nik Kostaras
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Wietse Venema
> Sent: 11 September 2017 16:57
> To: Postfix users <[hidden email]>
> Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames
>
> Nik Kostaras:
> > Hi all,
> >
> > Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
> >
> > ?The tables are not searched by hostname for robustness reasons.?
> >
> > Is it possible to describe what these reasons are? (performance
> > related?)
>
> Ask the question: if DNS lookup does not work, even if only for a brief time, would that result in the loss of mail?
>
> The purpose of this feature is to prevent a server from announcing a feature to an SMTP client, for example because it would result in the loss of mail (a client has a problem with that feature).
>
> What should happen:
>
> a) Don't suppress keywords based on hostname, and risk losing mail.
>
> b) Don't accept mail, to avoid loss of mail.
>
> c) Something else?
>
> Wietse
>
> ----------------------------------------------------------------------------------------------
> Message Processed by the Clearswift R&D Dogfood Secure Email Gateway V4.7.0
>
> This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.
>
> This email message has been inspected by Clearswift for inappropriate content and security threats.
>
> To find out more about Clearswift?s solutions please visit www.clearswift.com
>
>
Reply | Threaded
Open this post in threaded view
|

RE: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Nikk
Hi Wietse,

Yeap, another very valid point.
I do agree that the risks of using the hostnames to exclude features are not insignificant,
in which case I'd ask if the use of hostnames to include features (whitelisting rather than blacklisting) would be more acceptable in terms of risk?

If the resolution of a hostname fails or is not the expected one (for whatever reason) the client will not be offered some of the features,
which can lead to transmission failures (failure to accept the messages) rather than mail loss.

I also think that it's a good idea to add these examples against using the hostnames in the documentation, as it makes the reasons of this decision clearer.

Many thanks,
Nik

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Wietse Venema
Sent: 11 September 2017 21:51
To: Postfix users <[hidden email]>
Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Oh, and what should happen when the host has multiple PTR records that properly satisfy the reverse/forward name check?  Postfix picks only one, and it may not pick the same one every time..

Writing code is easy, what about writing first the documentation how this is supposed to behave?

If a feature needs more text for its limitations than for its functionality, then perhaps that is a sign of a problematic feature?

        Wietse

Nik Kostaras:

> Hi Wietse,
>
> Very good question!
> >From my point of view I'd like to have the ability to chose whether
> >to enable this filtering option (separately from the existing IP
> >filtering),
> acknowledging the risks of mail loss (with a "Here be dragons" warning in the documentation).
>
>  If you are interested I can send a patch with a new config option.
>
> Many thanks,
> Nik Kostaras
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Wietse Venema
> Sent: 11 September 2017 16:57
> To: Postfix users <[hidden email]>
> Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for
> hostnames
>
> Nik Kostaras:
> > Hi all,
> >
> > Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
> >
> > ?The tables are not searched by hostname for robustness reasons.?
> >
> > Is it possible to describe what these reasons are? (performance
> > related?)
>
> Ask the question: if DNS lookup does not work, even if only for a brief time, would that result in the loss of mail?
>
> The purpose of this feature is to prevent a server from announcing a feature to an SMTP client, for example because it would result in the loss of mail (a client has a problem with that feature).
>
> What should happen:
>
> a) Don't suppress keywords based on hostname, and risk losing mail.
>
> b) Don't accept mail, to avoid loss of mail.
>
> c) Something else?
>
> Wietse
>
> ----------------------------------------------------------------------
> ------------------------ Message Processed by the Clearswift R&D
> Dogfood Secure Email Gateway V4.7.0
>
> This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.
>
> This email message has been inspected by Clearswift for inappropriate content and security threats.
>
> To find out more about Clearswift?s solutions please visit
> www.clearswift.com
>
>