Re: Trouble filtering incoming mail

Fri, 15 Nov 2019 10:55:17 -0800 

On 11/15/2019 11:58 AM, Robert Senger wrote:

Hi all,

I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.

Relevant configuration snippets see below.
1. "access denied" actions 

In the logs, I see several messages like these:

Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from 
s1.namares.eu[93.189.46.48]
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT from s1.namares.eu[93.189.46.48]: 
554 5.7.1 <rob....@microscopium.de>: Recipient address rejected: Access denied; 
from=<u...@namares.eu> to=<rob....@microscopium.de> proto=ESMTP helo=<mail.namares.eu>
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from 
s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 
commands=4/6

Postfix immediately says "access denied". I see these lines for a small
number of domains, and only these three lines, nothing else. There's no
reason logged, as it is if other filtering options trigger (e.g. "Helo
command rejected: need fully-qualified hostname"). So, what is going on
here? None of the affected domains is listed in any access restrictions
file/db. At least one inportant domain (a big business social network,
popular in Germany) is affected and this is a problem for us.


Looks like this is a REJECT in a check_recipient_access table.
Access denied; is a reject from a smtpd access table. Recipient address rejected; tells us it's a check_recipient_access table. 




2. Filtering by sender domain not working

I am trying to reject emails coming in from certain domains (e.g.
.sxxt.de, see below), but I can't get it to work. I've put the domains
into sender_access and recipient_access files, ran postmap, but emails
still go through.
With the default setting of parent_domain_matches_subdomains, all you need is 
sxxxt.de  REJECT blacklisted
If you've removed smtpd_access_maps from parent_domain_matches_subdomains, then use 
.sxxxt.de  REJECT blacklisted

See:
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains


I already tried to put sender_access and recipient_access into
smtpd_sender_restrictions and smtpd_recipient_restrictions in different
combinations/order, but no luck. I never see "550" in the logs. Why?

Thanks for help.

Robert


Access restrictions:

root@prokyon:/etc/postfix# cat sender_access
newslet...@info.sxxt.de         550 Blacklisted
info.sxxt.de                    550 Blacklisted
i...@e.sxxt.de                  550 Blacklisted
e.sxxt.de                       550 Blacklisted
I would strongly recommend using REJECT instead of an explicit 5xx code in access maps to prevent accidents. If the intention is to differentiate log lines, add a comment after the REJECT. See the "Accept Actions" section of: 
http://www.postfix.org/access.5.html



root@prokyon:/etc/postfix# cat sender_access
newslet...@info.sxxt.de         550 Blacklisted

root@prokyon:/etc/postfix# cat client_access
debian.org OK

root@prokyon:/etc/postfix# cat helo_access
maxx.maxx.shmoo.com OK
Be aware that whitelisting by helo name is insecure. Helo names are easily and frequently forged. 





Smtp configuration:

master.cf (snippet):
Is there some good reason you've put all this in master.cf instead of main.cf like everyone else? This can make postfix harder to debug by having (possibly conflicting) settings in multiple files. 

Check what postfix sees by using "postconf -nf" and "postconf -Mf"




smtp       inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=may
   -o smtpd_sasl_auth_enable=no
   -o { smtpd_client_restrictions    = check_client_access 
hash:/etc/postfix/client_access,
                                       reject_unknown_client_hostname,
                                       reject_unauth_pipelining,
                                       permit }
   -o { smtpd_helo_restrictions      = check_helo_access 
hash:/etc/postfix/helo_access,
                                       reject_invalid_helo_hostname,
                                       reject_non_fqdn_helo_hostname,
                                       reject_unknown_helo_hostname,
                                       reject_unauth_pipelining,
                                       permit }
   -o { smtpd_sender_restrictions    = reject_unknown_sender_domain,
                                       reject_non_fqdn_sender,
                                       permit }
   -o { smtpd_relay_restrictions     = reject_unauth_destination,
                                       reject_unauth_pipelining,
                                       permit }
   -o { smtpd_recipient_restrictions = reject_unauth_destination,
                                       reject_unauth_pipelining,
                                       check_sender_access 
hash:/etc/postfix/sender_access,
                                       check_recipient_access 
hash:/etc/postfix/recipient_access,
                                       check_policy_service 
unix:/var/run/postgrey/postgrey.sock,
                                       check_policy_service 
unix:private/policy-spf,
                                       permit }
   -o { milter_macro_daemon_name = ORIGINATING }
   -o { smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
                        unix:/var/run/opendmarc/opendmarc.sock,
                        unix:/var/run/clamav/clamav-milter.ctl,
                        unix:/var/run/spamass/spamass.sock }







  -- Noel Jones

Reply via email to