RE: whitelist for single reject

2018-12-29 Thread Michael Fox 
> > ${config_directory}/reject1_map
> > # These hosts are whitelisted from this test only
> > 192.0.2.1   OK
> > 192.0.2.2   OK
> > # Everyone else gets this test
> > 0.0.0.0/0   reject1
> 
> To make "from this test only", it would have to be "DUNNO",
> rather than "OK" for the first two rules.
> 
> --
>   Viktor.

OK.  I wondered about that.  Thanks much!

Michael

Re: whitelist for single reject

2018-12-29 Thread Viktor Dukhovni 



> On Dec 29, 2018, at 7:19 PM, Michael Fox  wrote:
> 
> ${config_directory}/reject1_map
>   # These hosts are whitelisted from this test only
>   192.0.2.1   OK
>   192.0.2.2   OK
>   # Everyone else gets this test
>   0.0.0.0/0   reject1

To make "from this test only", it would have to be "DUNNO",
rather than "OK" for the first two rules.

-- 
Viktor.

RE: whitelist for single reject

2018-12-29 Thread Michael Fox 
> > Suppose I have the following general case:
> >
> > /etc/postfix/whitelist1:
> > OK
> > OK
> >
> > /etc/postfix/whitelist2:
> > OK
> >
> > How would I accomplish the following?
> >
> > smtpd_*_restrictions =
> > . . .
> > reject_[type1] . . .  (except for hosts in whitelist1)
> > reject_[type2] . . .  (except for hosts in whitelist2)
> 
> 
> main.cf:
> smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
> whitelist1 = reject_[type2]
> whitelist2 = reject_[type1]
> unwhitelisted = reject_[type1], reject_[type2]
> 
> smtpd_*_restrictions =
>check_client_access pcre:/etc/postfix/whitelisting
>...   (NOT including reject_[type1] or reject_[type2])
> 
> /etc/postfix/whitelisting:
> /^host_a$/   whitelist1
> /^host_b$/   whitelist1
> /^host_c$/   whitelist2
> /.*/ unwhitelisted
 
Ah.  OK.  I see what you're doing.  But, to make the logic more like

smtpd_*_restrictions =
. . .
reject_[type1] . . .  (except for hosts in whitelist1)
reject_[type2] . . .  (except for hosts in whitelist2)

and to take into account Viktor's suggestion for CIDR tables, does this
work?

${config_directory}/main.cf:
smtpd_restriction_classes = reject1, reject2
reject1 = reject_[type1]
reject2 = reject_[type2]

smtpd_*_restrictions = 
. . .
check_client_access cidr:${config_directory}/reject1_map
check_client_access cidr:${config_directory}/reject2_map
. . .

${config_directory}/reject1_map
# These hosts are whitelisted from this test only
192.0.2.1   OK
192.0.2.2   OK
# Everyone else gets this test
0.0.0.0/0   reject1

${config_directory}/reject2_map
# These hosts are whitelisted from this test only
192.0.2.2   OK
192.0.2.3   OK
# Everyone else gets this test
0.0.0.0/0   reject2


So:
-- host 192.0.2.1 is exempted from the first test but must undergo the
second test
-- host 192.0.2.2 is exempted from both tests
-- host 192.0.2.3 is must undergo the first test but is exempted from the
second test
-- all other hosts undergo both tests

Is that correct?


> The reason I'm specifying 'whitelisting' map as pcre type instead of
> hash is that I don't think there's any way to make a hash map default to
> a restriction class or restriction list. One way to read the access(5)
> man page implies that '.' would match any hostname not matched, but I
> have not tried that.

OK.  Understood.

Michael

RE: whitelist for single reject

2018-12-29 Thread Michael Fox 
> Since hostname based whitelists are fragile in the face of transient
> DNS failures, and many users struggle with regular expression correctness.
> A CIDR map is more appropriate here:
>   Viktor.

Excellent.  Thanks.

Michael

Re: whitelist for single reject

2018-12-27 Thread Wietse Venema 
Michael Fox:
> > >
> > > What I'd like to do is have a whitelist apply to only a specific reject.
> > 
> > You could use an access table to look up per-recipient rules.
> > See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
> > example.
> 
> Hmmm.  I read that.  I don't see how it applies to this case.  Can you give
> me an example?

recipient1  restrictions for recipient 1
recipient2  restrictions for recipient 2

Wietse

Re: whitelist for single reject

2018-12-26 Thread Viktor Dukhovni 
> On Dec 27, 2018, at 12:31 AM, Bill Cole 
>  wrote:
> 
> main.cf:
>   smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
>   whitelist1 = reject_[type2]
>   whitelist2 = reject_[type1]
>   unwhitelisted = reject_[type1], reject_[type2]
> 
>   smtpd_*_restrictions =
>  check_client_access pcre:/etc/postfix/whitelisting
>  ...   (NOT including reject_[type1] or reject_[type2])
> 
> /etc/postfix/whitelisting:
>   /^host_a$/   whitelist1
>   /^host_b$/   whitelist1
>   /^host_c$/   whitelist2
>   /.*/ unwhitelisted

Since hostname based whitelists are fragile in the face of transient
DNS failures, and many users struggle with regular expression correctness.
A CIDR map is more appropriate here:

192.0.2.1   whitelist1
192.0.2.2   whitelist2

0.0.0.0/0   unwhitelisted

  check_client-access cidr:${config_directory}/wlist.cidr

-- 
Viktor.

Re: whitelist for single reject

2018-12-26 Thread Bill Cole 

On 26 Dec 2018, at 22:35, Michael Fox wrote:



What I'd like to do is have a whitelist apply to only a specific 
reject.


You could use an access table to look up per-recipient rules.
See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
example.


Hmmm.  I read that.  I don't see how it applies to this case.


That's because the logic for doing it in Postfix is the reverse of what 
you'r3e asking for. It still works, however.



Can you give
me an example?

Suppose I have the following general case:

/etc/postfix/whitelist1:
  OK
  OK

/etc/postfix/whitelist2:
  OK

How would I accomplish the following?

smtpd_*_restrictions =
. . .
reject_[type1] . . .  (except for hosts in whitelist1)
reject_[type2] . . .  (except for hosts in whitelist2)



main.cf:
   smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
   whitelist1 = reject_[type2]
   whitelist2 = reject_[type1]
   unwhitelisted = reject_[type1], reject_[type2]

   smtpd_*_restrictions =
  check_client_access pcre:/etc/postfix/whitelisting
  ...   (NOT including reject_[type1] or reject_[type2])

/etc/postfix/whitelisting:
   /^host_a$/   whitelist1
   /^host_b$/   whitelist1
   /^host_c$/   whitelist2
   /.*/ unwhitelisted

The reason I'm specifying 'whitelisting' map as pcre type instead of 
hash is that I don't think there's any way to make a hash map default to 
a restriction class or restriction list. One way to read the access(5) 
man page implies that '.' would match any hostname not matched, but I 
have not tried that.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

RE: whitelist for single reject

2018-12-26 Thread Michael Fox 
> In addition to defining alternative restriction lists and classes as
> Wietse noted, you can keep all of your restrictions in the standard
> smtpd_*_restrictions lists if you prefer and can accept the limitation
> of having each type of whitelisting applied to a trailing sublist of
> restrictions.

Thanks Bill.  But the situation is not "nested" as your example showed.  I
just posted a follow-up to Wietse' response.  Perhaps that will be more
clear.

Michael

Re: whitelist for single reject

2018-12-25 Thread Bill Cole 

On 24 Dec 2018, at 12:40, Michael Fox wrote:

I'm pretty sure I've seen this documented somewhere, but I can't find 
it.


In addition to defining alternative restriction lists and classes as 
Wietse noted, you can keep all of your restrictions in the standard 
smtpd_*_restrictions lists if you prefer and can accept the limitation 
of having each type of whitelisting applied to a trailing sublist of 
restrictions.
This method is implicit in the documentation of the various 
smtpd_*_restrictions lists, but I don't think it is described explicitly 
anywhere.


What I'd like to do is have a whitelist apply to only a specific 
reject.

[...]

But suppose
each reject_... test needs different whitelists?  Is there a way to do 
that?


You can do that by defining restriction lists and classes as in 
http://www.postfix.org/RESTRICTION_CLASS_README.html or you can get 
close to it without a myriad of special lists by using the fact that 
directives in a restriction list are ordered, and you can have as many 
check_*_access maps as you like, ordered amongst the reject_* directives 
however you like. So this sort of thing would work, although it's a bit 
more than I expect anyone would need:


smtpd_recipient_restrictions = permit_mynetworks,
   check_recipient_access hash:/etc/postfix/protect_from_all,
   reject_[some_rule_1],
   check_recipient_access hash:/etc/postfix/protect_from_2-n,
   check_client_access hash:/etc/postfix/protect_from_2-n,
   reject_[some_rule_2],
   check_recipient_access hash:/etc/postfix/protect_from_3-n,
   check_sender_access hash:/etc/postfix/protect_from_3-n,
   reject_[some_rule_3],
   [...]
   check_recipient_access hash:/etc/postfix/protect_from_n,
   check_client_access hash:/etc/postfix/protect_from_n,
   check_sender_access hash:/etc/postfix/protect_from_n,
   reject_[some_rule_n],
   permit




--
Bill Cole

Re: whitelist for single reject

2018-12-24 Thread Wietse Venema 
Michael Fox:
> I'm pretty sure I've seen this documented somewhere, but I can't find it.
>
> What I'd like to do is have a whitelist apply to only a specific reject.
> For example:
>
> smtpd_*_restrictions =
>   .
>   check_*_access .  
>   reject_.
>   reject_...
>   reject_...
>
> My understanding is that the above  will cause all
> of the following rejects to be skipped for whitelisted hosts.  But suppose
> each reject_... test needs different whitelists?  Is there a way to do that?

You could use an access table to look up per-recipient rules.
See http://www.postfix.org/RESTRICTION_CLASS_README.html for an
example.

Wietse