Re: Postfix HELO checks

Simon B Wed, 15 Jan 2020 04:21:12 -0800

On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
>
> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
>
> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up
> > > > >> >through debian versions), all mail coming in on
> > > > >> >postfix/submission/smtpd is being rejected by the domain check in 
> > > > >> >that
> > > > >> >file, even though the user is sasl authenticated.
>
> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
> which you don't override in the submission service definition:


Cause and effect in one simple sentence - thanks Viktor!

> > submission inet n       -       n       -       -       smtpd
> >    -o syslog_name=postfix/submission
> >    -o smtpd_delay_reject=yes
> > #   -o receive_override_options=no_address_mappings
> >    -o always_add_missing_headers=yes
> >    -o content_filter=dksign:[127.0.0.1]:10028
> >    -o smtpd_enforce_tls=yes
> >    -o smtpd_sasl_auth_enable=yes
> >    -o smtpd_tls_security_level=encrypt
> >    -o smtpd_tls_auth_only=yes
> >    -o 
> > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
>
> But you also don't override, "smtpd_helo_restrictions", ...

Thanks for the additional hint.

> The boilerplate commented submission service in recent upstream Postfix
> master.cf files reads:
>
>     #submission inet n       -       n       -       -       smtpd
>     #  -o syslog_name=postfix/submission
>     #  -o smtpd_tls_security_level=encrypt
>     #  -o smtpd_sasl_auth_enable=yes
>     #  -o smtpd_tls_auth_only=yes
>     #  -o smtpd_reject_unlisted_recipient=no
>     #  -o smtpd_client_restrictions=$mua_client_restrictions
>     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
>     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
>     #  -o smtpd_recipient_restrictions=
>     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>     #  -o milter_macro_daemon_name=ORIGINATING
>
> Yours should look substantially similar (sans comments):

Now looks like this...

 10 submission inet n       -       n       -       -       smtpd
 11   -o syslog_name=postfix/submission
 12   -o smtpd_tls_security_level=encrypt
 13   -o smtpd_sasl_auth_enable=yes
 14   -o smtpd_tls_auth_only=yes
 15    -o smtpd_enforce_tls=yes
 16    -o smtpd_delay_reject=yes
 17    -o always_add_missing_headers=yes
 18    -o content_filter=dksign:[127.0.0.1]:10028
 19   -o smtpd_reject_unlisted_recipient=no
 20    -o 
smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
 21   -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_plaintext_session,reject
 22   -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname
 23   -o smtpd_sender_restrictions=reject_non_fqdn_sender
 24   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 25   -o milter_macro_daemon_name=ORIGINATING

Which seems to have solved the problem - or at least just kicked it
down the road.  Now there's a slightly different format of the error
when receiving mail from the amavis filter...

Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1]
Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command
rejected: Host not found; from=<si...@example.net> to=<
simo...@example.com> proto=ESMTP helo=<amavisd.example.net>
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT
(pip) (<simo...@example.com>): 554 5.7.1 <amavisd.example.net>: Helo
command rejected: Host not found
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Negative SMTP resp.
to DATA: 554 5.5.1 Error: no valid recipients
Jan 15 11:39:31 mail postfix/smtpd[31588]: disconnect from localhost[127.0.0.1]
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) (!)kTBsiMtC7PPJ FWD
from <si...@example.net> -> <simo...@example.com>, BODY=7BIT 554 5.7.1
from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <amavisd.example.net>:
Helo command rejected: Host not found
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Blocked MTA-BLOCKED
{RejectedInbound}, [127.0.0.1] [217.110.53.130] <si...@example.net> ->
<simo...@example.com>, Message-ID:
<20200115113913.horde.vu0wmb4khzfc85v7hddg...@webmail.example.net>,
mail_id: kTBsiMtC7PPJ, Hits: -5.2, size: 1093, 5595 ms
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) TIMING-SA total
5466 ms - parse: 1.86 (0.0%), extract_message_metadata: 3.8 (0.1%),
get_uri_detail_list: 0.31 (0.0%), tests_pri_-1000: 4.5 (0.1%),
tests_pri_-950: 1.14 (0.0%), tests_pri_-900: 0.91 (0.0%),
tests_pri_-400: 77 (1.4%), check_bayes: 76 (1.4%), b_tie_ro: 1.69
(0.0%), b_tokenize: 3.1 (0.1%), b_tok_get_all: 3.9 (0.1%),
b_comp_prob: 1.50 (0.0%), b_tok_touch_all: 63 (1.2%), b_finish: 0.65
(0.0%), tests_pri_0: 5223 (95.6%), check_spf: 0.23 (0.0%),
check_dkim_adsp: 3.3 (0.1%), check_dcc: 138 (2.5%), check_razor2: 5005
(91.6%), check_pyzor: 40 (0.7%), tests_pri_500: 3.1 (0.1%), learn: 141
(2.6%), b_learn: 140 (2.6%), b_tie_rw: 1.85 (0.0%), b_count_change: 99
(1.8%), get_report: 0.59 (0.0%)
Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) size: 1093, TIMING
[total 5599 ms] - SMTP greeting: 2.0 (0%)0, SMTP EHLO: 0.8 (0%)0, SMTP
pre-MAIL: 0.2 (0%)0, SMTP pre-DATA-flush: 2.8 (0%)0, SMTP DATA: 36
(1%)1, check_init: 0.5 (0%)1, digest_hdr: 1.2 (0%)1, digest_body_dkim:
0.2 (0%)1, collect_info: 3.8 (0%)1, mime_decode: 8 (0%)1,
get-file-type1: 17 (0%)1, parts_decode: 0.3 (0%)1, check_header: 0.9
(0%)1, AV-scan-1: 3.5 (0%)1, spam-wb-list: 1.8 (0%)1, SA msg read: 0.6
(0%)1, SA parse: 2.9 (0%)1, SA check: 5461 (98%)99,
decide_mail_destiny: 7 (0%)99, notif-quar: 0.4 (0%)99, fwd-connect: 30
(1%)100, fwd-mail-pip: 5 (0%)100, fwd-rcpt-pip: 0.3 (0%)100,
fwd-data-chkpnt: 0.1 (0%)100, fwd-end-chkpnt: 1.0 (0%)100,
prepare-dsn: 1.7 (0%)100, report: 1.3 (0%)100, main_log_entry: 4.6
(0%)100, update_snmp: 2.0 (0%)100, SMTP pre-response: 0.3 (0%)100,
SMTP response: 0.2 (0%)100, unlink-1-files: 0.2 (0%)100, rundown: 0.6
(0%)100
Jan 15 11:39:31 mail postfix/smtp[31583]: 47yQMw5NBrz7L5SW:
to=<simo...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=12,
delays=6.1/0.01/0/5.6, dsn=5.7.1, status=bounced (host
127.0.0.1[127.0.0.1] said: 554 5.7.1 id=02303-14 - Rejected by
next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1
<amavisd.example.net>: Helo command rejected: Host not found (in reply
to end of DATA command))

Despite the fact that I changed those receiver settings in master.cf to:

118 #The amavis reciever
119 127.0.0.1:10025 inet n - - - - smtpd
120         -o content_filter=
121         -o local_recipient_maps=
122         -o relay_recipient_maps=
123         -o smtpd_restriction_classes=
124   -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
125   -o smtpd_helo_restrictions=permit_mynetworks
126         -o smtpd_sender_restrictions=
127         -o smtpd_recipient_restrictions=permit_mynetworks,reject
128         -o mynetworks=127.0.0.0/8
129         -o strict_rfc821_envelopes=yes
130         -o 
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
131         -o smtp_bind_address=127.0.0.1

At the moment nothing is going through amavis in either direction, so
that's a problem...

Cheers.

Simon

Re: Postfix HELO checks

Reply via email to