whitelist for single reject

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

whitelist for single reject

Michael Fox

I’m pretty sure I’ve seen this documented somewhere, but I can’t find it.

 

What I’d like to do is have a whitelist apply to only a specific reject.  For example:

 

smtpd_*_restrictions =

              …

              check_*_access …  <whitelist-access-table>

              reject_…

              reject_...

              reject_...

 

My understanding is that the above <whitelist-access-table> will cause all of the following rejects to be skipped for whitelisted hosts.  But suppose each reject_... test needs different whitelists?  Is there a way to do that?

 

Thanks,

Michael

 

Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Wietse Venema
Michael Fox:

> I'm pretty sure I've seen this documented somewhere, but I can't find it.
>
> What I'd like to do is have a whitelist apply to only a specific reject.
> For example:
>
> smtpd_*_restrictions =
>               .
>               check_*_access .  <whitelist-access-table>
>               reject_.
>               reject_...
>               reject_...
>
> My understanding is that the above <whitelist-access-table> will cause all
> of the following rejects to be skipped for whitelisted hosts.  But suppose
> each reject_... test needs different whitelists?  Is there a way to do that?

You could use an access table to look up per-recipient rules.
See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
example.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Bill Cole-3
In reply to this post by Michael Fox
On 24 Dec 2018, at 12:40, Michael Fox wrote:

> I'm pretty sure I've seen this documented somewhere, but I can't find
> it.

In addition to defining alternative restriction lists and classes as
Wietse noted, you can keep all of your restrictions in the standard
smtpd_*_restrictions lists if you prefer and can accept the limitation
of having each type of whitelisting applied to a trailing sublist of
restrictions.
This method is implicit in the documentation of the various
smtpd_*_restrictions lists, but I don't think it is described explicitly
anywhere.

> What I'd like to do is have a whitelist apply to only a specific
> reject.
[...]
> But suppose
> each reject_... test needs different whitelists?  Is there a way to do
> that?

You can do that by defining restriction lists and classes as in
http://www.postfix.org/RESTRICTION_CLASS_README.html or you can get
close to it without a myriad of special lists by using the fact that
directives in a restriction list are ordered, and you can have as many
check_*_access maps as you like, ordered amongst the reject_* directives
however you like. So this sort of thing would work, although it's a bit
more than I expect anyone would need:

smtpd_recipient_restrictions = permit_mynetworks,
    check_recipient_access hash:/etc/postfix/protect_from_all,
    reject_[some_rule_1],
    check_recipient_access hash:/etc/postfix/protect_from_2-n,
    check_client_access hash:/etc/postfix/protect_from_2-n,
    reject_[some_rule_2],
    check_recipient_access hash:/etc/postfix/protect_from_3-n,
    check_sender_access hash:/etc/postfix/protect_from_3-n,
    reject_[some_rule_3],
    [...]
    check_recipient_access hash:/etc/postfix/protect_from_n,
    check_client_access hash:/etc/postfix/protect_from_n,
    check_sender_access hash:/etc/postfix/protect_from_n,
    reject_[some_rule_n],
    permit




--
Bill Cole
Reply | Threaded
Open this post in threaded view
|

RE: whitelist for single reject

Michael Fox
In reply to this post by Wietse Venema
> >
> > What I'd like to do is have a whitelist apply to only a specific reject.
>
> You could use an access table to look up per-recipient rules.
> See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
> example.

Hmmm.  I read that.  I don't see how it applies to this case.  Can you give
me an example?

Suppose I have the following general case:

/etc/postfix/whitelist1:
    <host_a> OK
    <host_b> OK

/etc/postfix/whitelist2:
    <host_c> OK

How would I accomplish the following?

smtpd_*_restrictions =
    . . .
    reject_[type1] . . .  (except for hosts in whitelist1)
    reject_[type2] . . .  (except for hosts in whitelist2)

Thanks,
Michael

Reply | Threaded
Open this post in threaded view
|

RE: whitelist for single reject

Michael Fox
In reply to this post by Bill Cole-3
> In addition to defining alternative restriction lists and classes as
> Wietse noted, you can keep all of your restrictions in the standard
> smtpd_*_restrictions lists if you prefer and can accept the limitation
> of having each type of whitelisting applied to a trailing sublist of
> restrictions.

Thanks Bill.  But the situation is not "nested" as your example showed.  I
just posted a follow-up to Wietse' response.  Perhaps that will be more
clear.

Michael

Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Bill Cole-3
In reply to this post by Michael Fox
On 26 Dec 2018, at 22:35, Michael Fox wrote:

>>>
>>> What I'd like to do is have a whitelist apply to only a specific
>>> reject.
>>
>> You could use an access table to look up per-recipient rules.
>> See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
>> example.
>
> Hmmm.  I read that.  I don't see how it applies to this case.

That's because the logic for doing it in Postfix is the reverse of what
you'r3e asking for. It still works, however.

> Can you give
> me an example?
>
> Suppose I have the following general case:
>
> /etc/postfix/whitelist1:
>     <host_a> OK
>     <host_b> OK
>
> /etc/postfix/whitelist2:
>     <host_c> OK
>
> How would I accomplish the following?
>
> smtpd_*_restrictions =
>     . . .
>     reject_[type1] . . .  (except for hosts in whitelist1)
>     reject_[type2] . . .  (except for hosts in whitelist2)


main.cf:
    smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
    whitelist1 = reject_[type2]
    whitelist2 = reject_[type1]
    unwhitelisted = reject_[type1], reject_[type2]

    smtpd_*_restrictions =
       check_client_access pcre:/etc/postfix/whitelisting
       ...   (NOT including reject_[type1] or reject_[type2])

/etc/postfix/whitelisting:
    /^host_a$/   whitelist1
    /^host_b$/   whitelist1
    /^host_c$/   whitelist2
    /.*/         unwhitelisted

The reason I'm specifying 'whitelisting' map as pcre type instead of
hash is that I don't think there's any way to make a hash map default to
a restriction class or restriction list. One way to read the access(5)
man page implies that '.' would match any hostname not matched, but I
have not tried that.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Viktor Dukhovni
> On Dec 27, 2018, at 12:31 AM, Bill Cole <[hidden email]> wrote:
>
> main.cf:
>   smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
>   whitelist1 = reject_[type2]
>   whitelist2 = reject_[type1]
>   unwhitelisted = reject_[type1], reject_[type2]
>
>   smtpd_*_restrictions =
>      check_client_access pcre:/etc/postfix/whitelisting
>      ...   (NOT including reject_[type1] or reject_[type2])
>
> /etc/postfix/whitelisting:
>   /^host_a$/   whitelist1
>   /^host_b$/   whitelist1
>   /^host_c$/   whitelist2
>   /.*/         unwhitelisted

Since hostname based whitelists are fragile in the face of transient
DNS failures, and many users struggle with regular expression correctness.
A CIDR map is more appropriate here:

        192.0.2.1 whitelist1
        192.0.2.2 whitelist2
        ....
        0.0.0.0/0 unwhitelisted

  check_client-access cidr:${config_directory}/wlist.cidr

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Wietse Venema
In reply to this post by Michael Fox
Michael Fox:
> > >
> > > What I'd like to do is have a whitelist apply to only a specific reject.
> >
> > You could use an access table to look up per-recipient rules.
> > See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
> > example.
>
> Hmmm.  I read that.  I don't see how it applies to this case.  Can you give
> me an example?

recipient1 restrictions for recipient 1
recipient2 restrictions for recipient 2

        Wietse
Reply | Threaded
Open this post in threaded view
|

RE: whitelist for single reject

Michael Fox
In reply to this post by Bill Cole-3
> > Suppose I have the following general case:
> >
> > /etc/postfix/whitelist1:
> >     <host_a> OK
> >     <host_b> OK
> >
> > /etc/postfix/whitelist2:
> >     <host_c> OK
> >
> > How would I accomplish the following?
> >
> > smtpd_*_restrictions =
> >     . . .
> >     reject_[type1] . . .  (except for hosts in whitelist1)
> >     reject_[type2] . . .  (except for hosts in whitelist2)
>
>
> main.cf:
>     smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
>     whitelist1 = reject_[type2]
>     whitelist2 = reject_[type1]
>     unwhitelisted = reject_[type1], reject_[type2]
>
>     smtpd_*_restrictions =
>        check_client_access pcre:/etc/postfix/whitelisting
>        ...   (NOT including reject_[type1] or reject_[type2])
>
> /etc/postfix/whitelisting:
>     /^host_a$/   whitelist1
>     /^host_b$/   whitelist1
>     /^host_c$/   whitelist2
>     /.*/         unwhitelisted
 
Ah.  OK.  I see what you're doing.  But, to make the logic more like

        smtpd_*_restrictions =
                . . .
                reject_[type1] . . .  (except for hosts in whitelist1)
                reject_[type2] . . .  (except for hosts in whitelist2)

and to take into account Viktor's suggestion for CIDR tables, does this
work?

${config_directory}/main.cf:
        smtpd_restriction_classes = reject1, reject2
        reject1 = reject_[type1]
        reject2 = reject_[type2]

        smtpd_*_restrictions =
                . . .
                check_client_access cidr:${config_directory}/reject1_map
                check_client_access cidr:${config_directory}/reject2_map
                . . .

${config_directory}/reject1_map
        # These hosts are whitelisted from this test only
        192.0.2.1 OK
        192.0.2.2 OK
        # Everyone else gets this test
        0.0.0.0/0 reject1

${config_directory}/reject2_map
        # These hosts are whitelisted from this test only
        192.0.2.2 OK
        192.0.2.3 OK
        # Everyone else gets this test
        0.0.0.0/0 reject2


So:
-- host 192.0.2.1 is exempted from the first test but must undergo the
second test
-- host 192.0.2.2 is exempted from both tests
-- host 192.0.2.3 is must undergo the first test but is exempted from the
second test
-- all other hosts undergo both tests

Is that correct?


> The reason I'm specifying 'whitelisting' map as pcre type instead of
> hash is that I don't think there's any way to make a hash map default to
> a restriction class or restriction list. One way to read the access(5)
> man page implies that '.' would match any hostname not matched, but I
> have not tried that.

OK.  Understood.

Michael


Reply | Threaded
Open this post in threaded view
|

RE: whitelist for single reject

Michael Fox
In reply to this post by Viktor Dukhovni
> Since hostname based whitelists are fragile in the face of transient
> DNS failures, and many users struggle with regular expression correctness.
> A CIDR map is more appropriate here:
> Viktor.

Excellent.  Thanks.

Michael


Reply | Threaded
Open this post in threaded view
|

Re: whitelist for single reject

Viktor Dukhovni
In reply to this post by Michael Fox


> On Dec 29, 2018, at 7:19 PM, Michael Fox <[hidden email]> wrote:
>
> ${config_directory}/reject1_map
> # These hosts are whitelisted from this test only
> 192.0.2.1 OK
> 192.0.2.2 OK
> # Everyone else gets this test
> 0.0.0.0/0 reject1

To make "from this test only", it would have to be "DUNNO",
rather than "OK" for the first two rules.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: whitelist for single reject

Michael Fox
> > ${config_directory}/reject1_map
> > # These hosts are whitelisted from this test only
> > 192.0.2.1 OK
> > 192.0.2.2 OK
> > # Everyone else gets this test
> > 0.0.0.0/0 reject1
>
> To make "from this test only", it would have to be "DUNNO",
> rather than "OK" for the first two rules.
>
> --
> Viktor.

OK.  I wondered about that.  Thanks much!

Michael