Re: Relay access denied to local IPv6 client

2018-02-23 Thread Bill Cole 

On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:


Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem: 
Aclient (a data storage system) with an IPv6 address of 
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
email and it's being denied access:


Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT 
from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
: Relay access denied; 
from= to= 
proto=SMTP helo=


All /48 IPv6 address blockis included in mynetworks: ..., 
[2001:648:2011::]/48, ...


The client does not support TLS or authentication. For such clients we 
provide explicit permission:


smtpd_client_restrictions =
  ...
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr
  permit_sasl_authenticated
  reject

where /etc/postfix/non-tls-clients.cidr:

   ...
   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
   ...

Please, be kind to help me understand what is causing this client 
rejection and correct my postfix configuration.


postconf -n follows:

[...]
smtpd_client_restrictions = check_client_access 
cidr:/etc/postfix/localhost.cidr check_client_access 
cidr:/etc/postfix/gwservers.cidr check_client_access 
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated 
reject

[...]
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination


The restriction lists in Postfix are run in a fixed logical order 
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK' 
from an early restriction list (smtpd_client_restrictions) *DOES NOT* 
prevent 'REJECT' by a later restriction list 
(smtpd_recipient_restrictions.) OK only terminates a single restriction 
list, not the whole set of lists, so in this case the transaction is 
exiting the smtpd_client_restrictions list with OK at 
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it 
still must pass through smtpd_recipient_restrictions, where it is 
rejected by "reject_unauth_destination" because you are not the final 
destination for the recipient domain nor do you have the recipient 
domain in $relay_domains.


See the SMTPD_ACCESS_README file for complete details.

Re: Restricting submission to legitimate account name only

2018-02-23 Thread Viktor Dukhovni 


> On Feb 23, 2018, at 12:07 PM, Alex  wrote:
> 
> indexed = ${default_database_type}:${config_directory}/
> smtpd_restriction_classes = enforce_login
> enforce_login =
>   reject_authenticated_sender_login_mismatch,
>   permit_sasl_authenticated,
>   reject
> smtpd_sender_restrictions =
>   check_sasl_access ${indexed}sasl-access
> 
> sasl-access:
> user44406  enforce_login
> 
> Feb 23 11:57:51 email01 postfix/submission/smtpd[1563]: NOQUEUE:
> reject: RCPT from
> 104-0-120-163.lightspeed.hstntx.sbcglobal.net[104.0.120.163]: 553
> 5.7.1 : Sender address rejected: not owned
> by user user44406; from=
> to= proto=ESMTP helo=

What do you have in smtpd_sender_login_maps?  For the above to work, you
also of course need:

   main.cf:
smtpd_sender_login_maps = ${indexed}sender-login

   sender-login:
user44...@sub.example.com user44406

-- 
Viktor.

Re: Restricting submission to legitimate account name only

2018-02-23 Thread Alex 
Hi,

On Mon, Feb 19, 2018 at 1:31 PM, Viktor Dukhovni
 wrote:
>> On Feb 19, 2018, at 11:35 AM, Alex  wrote:
>> In other words, if the sasl_username is alice, I'd like to restrict
>> the envelope sender and From address to only legitimate accounts
>> belonging to that sasl user.
>
> If the account is compromised, you really should deny access until
> the password is changed.  That said, you can use:

Yes, we've locked the accounts and are investigating the infected PC
that caused this.

However, I'm still having a problem with the changes you've suggested:

>  main.cf:
>indexed = ${default_database_type}:${config_directory}/
>smtpd_restriction_classes = enforce_login
>enforce_login =
> reject_authenticated_sender_login_mismatch,
> permit_sasl_authenticated,
> reject
>smtpd_sender_restrictions =
> check_sasl_access ${indexed}sasl-access
>
>  sasl-access:
># The lookup key is the SASL login name, which may be "user@realm",
># rather than just "user", specify accordingly.
>#
>alice   enforce_login

indexed = ${default_database_type}:${config_directory}/
smtpd_restriction_classes = enforce_login
enforce_login =
   reject_authenticated_sender_login_mismatch,
   permit_sasl_authenticated,
   reject
smtpd_sender_restrictions =
   check_sasl_access ${indexed}sasl-access

sasl-access:
user44406  enforce_login

Feb 23 11:57:51 email01 postfix/submission/smtpd[1563]: NOQUEUE:
reject: RCPT from
104-0-120-163.lightspeed.hstntx.sbcglobal.net[104.0.120.163]: 553
5.7.1 : Sender address rejected: not owned
by user user44406; from=
to= proto=ESMTP helo=

I've also tried user44...@sub.example.com, and while it doesn't reject
the sender, it also doesn't block users from being able to send mail
from accounts other than their own. These are non-existent accounts:

From: "mistybarry" 
To: "abrennan" 

I'm not sure what other details I can provide to help here.

Thanks,
Alex

Re: Relay access denied to local IPv6 client

2018-02-23 Thread Wietse Venema 
Nikolaos Milas:
> Hello,
> 
> We are using Postfix v3.2.4and we arefacing the followingproblem: 
> Aclient (a data storage system) with an IPv6 address of 
> [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
> email and it's being denied access:
> 
> Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from 
> unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
> : Relay access denied; 
> from= to= 
> proto=SMTP helo=
> 
> All /48 IPv6 address blockis included in mynetworks: ..., 
> [2001:648:2011::]/48, ...
> 
> The client does not support TLS or authentication. For such clients we 
> provide explicit permission:
> 
> smtpd_client_restrictions =
>  ? ...
>  ? check_client_access cidr:/etc/postfix/non-tls-clients.cidr
>  ? permit_sasl_authenticated
>  ? reject

Relay access is enforced in smtpd_RELAY_restrictions (or historically,
in smtpd_RECIPIENT_restrictions).

Wietse

Re: Relay access denied to local IPv6 client

2018-02-23 Thread Jörg Backschues 

Am 23.02.2018 um 09:49 schrieb Nikolaos Milas:


where /etc/postfix/non-tls-clients.cidr:

    ...
    [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
    ...


Please check the CIDR table syntax 
:


e.g.

2001:db8::/32   REJECT

--
Regards
Jörg Backschues

Relay access denied to local IPv6 client

2018-02-23 Thread Nikolaos Milas 

Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem: 
Aclient (a data storage system) with an IPv6 address of 
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
email and it's being denied access:


Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from 
unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
: Relay access denied; 
from= to= 
proto=SMTP helo=


All /48 IPv6 address blockis included in mynetworks: ..., 
[2001:648:2011::]/48, ...


The client does not support TLS or authentication. For such clients we 
provide explicit permission:


smtpd_client_restrictions =
  ...
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr
  permit_sasl_authenticated
  reject

where /etc/postfix/non-tls-clients.cidr:

   ...
   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
   ...

Please, be kind to help me understand what is causing this client 
rejection and correct my postfix configuration.


postconf -n follows:

# postconf -n
alias_database = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases
allowed_list1 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users,reject

allowed_list2 = permit_sasl_authenticated,reject
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = IC-XC-NI-KA
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23, 
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, 
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64, 
[::1]/128

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_security_level = may
smtpd_client_restrictions = check_client_access 
cidr:/etc/postfix/localhost.cidr check_client_access 
cidr:/etc/postfix/gwservers.cidr check_client_access 
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated reject

smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access 
cidr:/etc/postfix/postfwdpolicy.cidr

smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination
smtpd_restriction_classes = 
controlled_senders,allowed_list1,allowed_list2, postfwdcheck,gwcheck

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1243437.crt
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases, 
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf, 
proxy:ldap:/etc/postfix/ldap-aliases.cf

virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, space.$mydomain,