RE: whitelist for single reject
> > ${config_directory}/reject1_map > > # These hosts are whitelisted from this test only > > 192.0.2.1 OK > > 192.0.2.2 OK > > # Everyone else gets this test > > 0.0.0.0/0 reject1 > > To make "from this test only", it would have to be "DUNNO", > rather than "OK" for the first two rules. > > -- > Viktor. OK. I wondered about that. Thanks much! Michael
Re: whitelist for single reject
> On Dec 29, 2018, at 7:19 PM, Michael Fox wrote: > > ${config_directory}/reject1_map > # These hosts are whitelisted from this test only > 192.0.2.1 OK > 192.0.2.2 OK > # Everyone else gets this test > 0.0.0.0/0 reject1 To make "from this test only", it would have to be "DUNNO", rather than "OK" for the first two rules. -- Viktor.
RE: whitelist for single reject
> > Suppose I have the following general case: > > > > /etc/postfix/whitelist1: > > OK > > OK > > > > /etc/postfix/whitelist2: > > OK > > > > How would I accomplish the following? > > > > smtpd_*_restrictions = > > . . . > > reject_[type1] . . . (except for hosts in whitelist1) > > reject_[type2] . . . (except for hosts in whitelist2) > > > main.cf: > smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted > whitelist1 = reject_[type2] > whitelist2 = reject_[type1] > unwhitelisted = reject_[type1], reject_[type2] > > smtpd_*_restrictions = >check_client_access pcre:/etc/postfix/whitelisting >... (NOT including reject_[type1] or reject_[type2]) > > /etc/postfix/whitelisting: > /^host_a$/ whitelist1 > /^host_b$/ whitelist1 > /^host_c$/ whitelist2 > /.*/ unwhitelisted Ah. OK. I see what you're doing. But, to make the logic more like smtpd_*_restrictions = . . . reject_[type1] . . . (except for hosts in whitelist1) reject_[type2] . . . (except for hosts in whitelist2) and to take into account Viktor's suggestion for CIDR tables, does this work? ${config_directory}/main.cf: smtpd_restriction_classes = reject1, reject2 reject1 = reject_[type1] reject2 = reject_[type2] smtpd_*_restrictions = . . . check_client_access cidr:${config_directory}/reject1_map check_client_access cidr:${config_directory}/reject2_map . . . ${config_directory}/reject1_map # These hosts are whitelisted from this test only 192.0.2.1 OK 192.0.2.2 OK # Everyone else gets this test 0.0.0.0/0 reject1 ${config_directory}/reject2_map # These hosts are whitelisted from this test only 192.0.2.2 OK 192.0.2.3 OK # Everyone else gets this test 0.0.0.0/0 reject2 So: -- host 192.0.2.1 is exempted from the first test but must undergo the second test -- host 192.0.2.2 is exempted from both tests -- host 192.0.2.3 is must undergo the first test but is exempted from the second test -- all other hosts undergo both tests Is that correct? > The reason I'm specifying 'whitelisting' map as pcre type instead of > hash is that I don't think there's any way to make a hash map default to > a restriction class or restriction list. One way to read the access(5) > man page implies that '.' would match any hostname not matched, but I > have not tried that. OK. Understood. Michael
RE: whitelist for single reject
> Since hostname based whitelists are fragile in the face of transient > DNS failures, and many users struggle with regular expression correctness. > A CIDR map is more appropriate here: > Viktor. Excellent. Thanks. Michael
Re: whitelist for single reject
Michael Fox: > > > > > > What I'd like to do is have a whitelist apply to only a specific reject. > > > > You could use an access table to look up per-recipient rules. > > See http://www.postfix.org/RESTRICTION_CLASS_README.html for an > > example. > > Hmmm. I read that. I don't see how it applies to this case. Can you give > me an example? recipient1 restrictions for recipient 1 recipient2 restrictions for recipient 2 Wietse
Re: whitelist for single reject
> On Dec 27, 2018, at 12:31 AM, Bill Cole > wrote: > > main.cf: > smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted > whitelist1 = reject_[type2] > whitelist2 = reject_[type1] > unwhitelisted = reject_[type1], reject_[type2] > > smtpd_*_restrictions = > check_client_access pcre:/etc/postfix/whitelisting > ... (NOT including reject_[type1] or reject_[type2]) > > /etc/postfix/whitelisting: > /^host_a$/ whitelist1 > /^host_b$/ whitelist1 > /^host_c$/ whitelist2 > /.*/ unwhitelisted Since hostname based whitelists are fragile in the face of transient DNS failures, and many users struggle with regular expression correctness. A CIDR map is more appropriate here: 192.0.2.1 whitelist1 192.0.2.2 whitelist2 0.0.0.0/0 unwhitelisted check_client-access cidr:${config_directory}/wlist.cidr -- Viktor.
Re: whitelist for single reject
On 26 Dec 2018, at 22:35, Michael Fox wrote: What I'd like to do is have a whitelist apply to only a specific reject. You could use an access table to look up per-recipient rules. See http://www.postfix.org/RESTRICTION_CLASS_README.html for an example. Hmmm. I read that. I don't see how it applies to this case. That's because the logic for doing it in Postfix is the reverse of what you'r3e asking for. It still works, however. Can you give me an example? Suppose I have the following general case: /etc/postfix/whitelist1: OK OK /etc/postfix/whitelist2: OK How would I accomplish the following? smtpd_*_restrictions = . . . reject_[type1] . . . (except for hosts in whitelist1) reject_[type2] . . . (except for hosts in whitelist2) main.cf: smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted whitelist1 = reject_[type2] whitelist2 = reject_[type1] unwhitelisted = reject_[type1], reject_[type2] smtpd_*_restrictions = check_client_access pcre:/etc/postfix/whitelisting ... (NOT including reject_[type1] or reject_[type2]) /etc/postfix/whitelisting: /^host_a$/ whitelist1 /^host_b$/ whitelist1 /^host_c$/ whitelist2 /.*/ unwhitelisted The reason I'm specifying 'whitelisting' map as pcre type instead of hash is that I don't think there's any way to make a hash map default to a restriction class or restriction list. One way to read the access(5) man page implies that '.' would match any hostname not matched, but I have not tried that. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
RE: whitelist for single reject
> In addition to defining alternative restriction lists and classes as > Wietse noted, you can keep all of your restrictions in the standard > smtpd_*_restrictions lists if you prefer and can accept the limitation > of having each type of whitelisting applied to a trailing sublist of > restrictions. Thanks Bill. But the situation is not "nested" as your example showed. I just posted a follow-up to Wietse' response. Perhaps that will be more clear. Michael
Re: whitelist for single reject
On 24 Dec 2018, at 12:40, Michael Fox wrote: I'm pretty sure I've seen this documented somewhere, but I can't find it. In addition to defining alternative restriction lists and classes as Wietse noted, you can keep all of your restrictions in the standard smtpd_*_restrictions lists if you prefer and can accept the limitation of having each type of whitelisting applied to a trailing sublist of restrictions. This method is implicit in the documentation of the various smtpd_*_restrictions lists, but I don't think it is described explicitly anywhere. What I'd like to do is have a whitelist apply to only a specific reject. [...] But suppose each reject_... test needs different whitelists? Is there a way to do that? You can do that by defining restriction lists and classes as in http://www.postfix.org/RESTRICTION_CLASS_README.html or you can get close to it without a myriad of special lists by using the fact that directives in a restriction list are ordered, and you can have as many check_*_access maps as you like, ordered amongst the reject_* directives however you like. So this sort of thing would work, although it's a bit more than I expect anyone would need: smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/protect_from_all, reject_[some_rule_1], check_recipient_access hash:/etc/postfix/protect_from_2-n, check_client_access hash:/etc/postfix/protect_from_2-n, reject_[some_rule_2], check_recipient_access hash:/etc/postfix/protect_from_3-n, check_sender_access hash:/etc/postfix/protect_from_3-n, reject_[some_rule_3], [...] check_recipient_access hash:/etc/postfix/protect_from_n, check_client_access hash:/etc/postfix/protect_from_n, check_sender_access hash:/etc/postfix/protect_from_n, reject_[some_rule_n], permit -- Bill Cole
Re: whitelist for single reject
Michael Fox: > I'm pretty sure I've seen this documented somewhere, but I can't find it. > > What I'd like to do is have a whitelist apply to only a specific reject. > For example: > > smtpd_*_restrictions = > . > check_*_access . > reject_. > reject_... > reject_... > > My understanding is that the above will cause all > of the following rejects to be skipped for whitelisted hosts. But suppose > each reject_... test needs different whitelists? Is there a way to do that? You could use an access table to look up per-recipient rules. See http://www.postfix.org/RESTRICTION_CLASS_README.html for an example. Wietse