Re: Blacklisting external domains
On 2/6/2015 8:52 AM, li...@rhsoft.net li...@rhsoft.net wrote: it's simple * if there is any permit in front - well * if you are using specific submission_client_restrictions and have placed the access table in front of any permit it works in that context postfix is dead-simple the first action stops the rest inside of the restricition list, no matter if it is OK or REJECT and so if you have permit-rules like mynetworks or sasl-authenticated in front your access table is never called at all the same if you have a OK somewhere but another rule before says REJECT Oh, crap, never mind. I forgot that I'd created the custom 'submission_client_restrictions' class when killing the LinkedIn Intro App. So, that explains why it wasn't working the way I thought it should. Thanks for the gentle clue sticks...
Re: Blacklisting external domains
On 2/6/2015 8:58 AM, li...@rhsoft.net li...@rhsoft.net wrote: and BTW one reason more to make a transport it is not affected by other restrictions it just comes at the end of the chain when postfix now would accept the message even by a explicit OK in any restriction table http://www.postfix.org/transport.5.html exemple.com error:did you mean 'exAmple.com'? Ok, well, that at least makes sense, thanks... will probably move this test there
Re: Blacklisting external domains
Am 06.02.2015 um 14:52 schrieb li...@rhsoft.net: Am 06.02.2015 um 14:43 schrieb Charles Marcus: Well... ok, so now I just have to figure out what I'm missing/doing wrong. Hmmm... ok, just moved it from smtpd_relay_restrictions to submission_client_restrictions and it works now... But it still looks to me like it should have worked when called from smtpd_relay_restrictions, or even smtpd_recipient_restrictions... it's simple * if there is any permit in front - well * if you are using specific submission_client_restrictions and have placed the access table in front of any permit it works in that context postfix is dead-simple the first action stops the rest inside of the restricition list, no matter if it is OK or REJECT and so if you have permit-rules like mynetworks or sasl-authenticated in front your access table is never called at all the same if you have a OK somewhere but another rule before says REJECT and BTW one reason more to make a transport it is not affected by other restrictions it just comes at the end of the chain when postfix now would accept the message even by a explicit OK in any restriction table http://www.postfix.org/transport.5.html exemple.com error:did you mean 'exAmple.com'?
Re: Blacklisting external domains
On 2/6/2015 8:26 AM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. .domain.tld Matches subdomains of domain.tld, but only when the ... user@ Matches all mail addresses with the specified user part. Ok, so what I'm trying to do is match/REJECT anyth...@domain.tld I would have read the above to mean that domain.tld would accomplish this... and now I'm trying to understand what that Indeed. Postfix makes the queries shown above, and if you have domain.tld reject, then it will match the second query. Well... ok, so now I just have to figure out what I'm missing/doing wrong. Hmmm... ok, just moved it from smtpd_relay_restrictions to submission_client_restrictions and it works now... But it still looks to me like it should have worked when called from smtpd_relay_restrictions, or even smtpd_recipient_restrictions... postconf -n | grep
Re: Blacklisting external domains
On 2/5/2015 5:06 PM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: Ok... but... this sounds like you are saying that it is expected that my simple postmap -q test would fail, but that someone attempting to relay I am saying that you should RTFM the access(5) manpage and make the queries in the order as indicated there. ACCESS(5)ACCESS(5) NAME access - Postfix SMTP server access table ... EMAIL ADDRESS PATTERNS With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. .domain.tld Matches subdomains of domain.tld, but only when the string smtpd_access_maps is not listed in the Postfix par- ent_domain_matches_subdomains configuration setting. user@ Matches all mail addresses with the specified user part. Ok, so what I'm trying to do is match/REJECT anyth...@domain.tld I would have read the above to mean that domain.tld would accomplish this... and now I'm trying to understand what that example means, if it doesn't mean it would reject emails to ANY recipient at that tld. Anyway, maybe Reindl is correct and I should be doing this with a transport map? I'll look into that. I had found some $random examples when googling that suggested I should be able to do this with a simple access map. Guess they were wrong. Thanks
Re: Blacklisting external domains
Am 06.02.2015 um 14:43 schrieb Charles Marcus: Well... ok, so now I just have to figure out what I'm missing/doing wrong. Hmmm... ok, just moved it from smtpd_relay_restrictions to submission_client_restrictions and it works now... But it still looks to me like it should have worked when called from smtpd_relay_restrictions, or even smtpd_recipient_restrictions... it's simple * if there is any permit in front - well * if you are using specific submission_client_restrictions and have placed the access table in front of any permit it works in that context postfix is dead-simple the first action stops the rest inside of the restricition list, no matter if it is OK or REJECT and so if you have permit-rules like mynetworks or sasl-authenticated in front your access table is never called at all the same if you have a OK somewhere but another rule before says REJECT
Re: Blacklisting external domains
Charles Marcus: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. .domain.tld Matches subdomains of domain.tld, but only when the ... user@ Matches all mail addresses with the specified user part. Ok, so what I'm trying to do is match/REJECT anyth...@domain.tld I would have read the above to mean that domain.tld would accomplish this... and now I'm trying to understand what that Indeed. Postfix makes the queries shown above, and if you have domain.tld reject, then it will match the second query. Wietse
Re: Blacklisting external domains
On 6. feb. 2015 13.49.31 Charles Marcus cmar...@media-brokers.com wrote: I had found some $random examples when googling that suggested I should be able to do this with a simple access map. Guess they were wrong. possible a single access map can be used in multiple restrictions ?, just guessing :) its not always simple
Re: Blacklisting external domains
Charles Marcus: Ok, Can't seem to figure this out... I want to block sending to certain domains - in this case, a domain that is typod... Googling suggests this should work: smtpd_relay_restrictions = check_recipient_access ${hash}/blacklisted_domains, permit_sasl_authenticated, permit_mynetworks, reject blacklisted_domains contains exemple.com REJECT did you mean 'exAmple.com'? But querying the map only works for the plain TLD, not for email addresses for the TLD. check_recipient_access automatically makes queries for the email address, the domain, and more. See access(5). # postmap -q exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains REJECT did you mean 'exAmple.com'? # postmap -q recipi...@exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains What am I missing? The postmap command does not automatically make related queries for email address, domain name, and more. You have make the related queries yourself. postmap cannot figure out by itself that you want to query an access map. It needs help. For example, to simulate the queries in header/body_checks, you specify postmap -mh or postmap -mb. There currently are no options tell postmap that you want to query access maps, canonical maps, transport maps, etc. You have to make the related queries yourself. It should be possible to extract the code that makes related queries for access maps and transport maps and put that code into library functions (the related queries for canonical, virtual alias and generic maps are already generated by a library routine). Then, postmap could make the same related queries as Postfix daemons. Wietse
Re: Blacklisting external domains
On 2/5/2015 4:35 PM, wie...@porcupine.org (Wietse Venema) wie...@porcupine.org (Wietse Venema) wrote: Charles Marcus: Ok, Can't seem to figure this out... I want to block sending to certain domains - in this case, a domain that is typod... Googling suggests this should work: smtpd_relay_restrictions = check_recipient_access ${hash}/blacklisted_domains, permit_sasl_authenticated, permit_mynetworks, reject blacklisted_domains contains exemple.com REJECT did you mean 'exAmple.com'? But querying the map only works for the plain TLD, not for email addresses for the TLD. check_recipient_access automatically makes queries for the email address, the domain, and more. See access(5). # postmap -q exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains REJECT did you mean 'exAmple.com'? # postmap -q recipi...@exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains What am I missing? The postmap command does not automatically make related queries for email address, domain name, and more. You have make the related queries yourself. postmap cannot figure out by itself that you want to query an access map. It needs help. For example, to simulate the queries in header/body_checks, you specify postmap -mh or postmap -mb. Ok... but... this sounds like you are saying that it is expected that my simple postmap -q test would fail, but that someone attempting to relay an email to anyth...@exemple.com shoudl get REJECTed? That is not the case: 2015-02-05T16:39:25-05:00 myserver postfix-587/smtpd[11726]: D8C9C824CA762: client=XXX[192.168.1.110], sasl_method=PLAIN, sasl_username=validu...@example.com 2015-02-05T16:39:25-05:00 myserver postfix/cleanup[11019]: D8C9C824CA762: message-id=54d3e30d.1020...@example.com 2015-02-05T16:39:25-05:00 myserver postfix/qmgr[10695]: D8C9C824CA762: from=validu...@example.com, size=697, nrcpt=1 (queue active) 2015-02-05T16:39:30-05:00 myserver postfix/smtp[11944]: D8C9C824CA762: to=someth...@exemple.com, relay=159-63-145-2.rcimx.com[208.80.204.36]:25, delay=4.3, delays=0.02/0/0.23/4, dsn=2.0.0, status=sent (250 OK) 2015-02-05T16:39:30-05:00 myserver postfix/qmgr[10695]: D8C9C824CA762: removed But, the postmap -q test does at least show that it is accessing the map... postconf -n shows that the check_recipient_access test is in the right place: # postconf -n | grep relay_restrictions smtpd_relay_restrictions = check_recipient_access ${hash}/blacklisted_domains, permit_sasl_authenticated, permit_mynetworks, check_client_access ${cidr}/allowed_clients.cidr, reject
Re: Blacklisting external domains
Am 05.02.2015 um 22:19 schrieb Charles Marcus: Ok, Can't seem to figure this out... I want to block sending to certain domains - in this case, a domain that is typod... Googling suggests this should work: smtpd_relay_restrictions = check_recipient_access ${hash}/blacklisted_domains, permit_sasl_authenticated, permit_mynetworks, reject blacklisted_domains contains exemple.com REJECT did you mean 'exAmple.com'? But querying the map only works for the plain TLD, not for email addresses for the TLD. # postmap -q exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains REJECT did you mean 'exAmple.com'? # postmap -q recipi...@exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains What am I missing? that you can do that with a *transport* on our submission servers we use mysql configs and have a seperate typo transports table joined with the regular transports for years now
Re: Blacklisting external domains
Charles Marcus: check_recipient_access automatically makes queries for the email address, the domain, and more. See access(5). # postmap -q exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains REJECT did you mean 'exAmple.com'? # postmap -q recipi...@exemple.com hash:/etc/postfix/maps/hash/blacklisted_domains What am I missing? The postmap command does not automatically make related queries for email address, domain name, and more. You have make the related queries yourself. postmap cannot figure out by itself that you want to query an access map. It needs help. For example, to simulate the queries in header/body_checks, you specify postmap -mh or postmap -mb. Ok... but... this sounds like you are saying that it is expected that my simple postmap -q test would fail, but that someone attempting to relay I am saying that you should RTFM the access(5) manpage and make the queries in the order as indicated there. Wietse ACCESS(5)ACCESS(5) NAME access - Postfix SMTP server access table ... EMAIL ADDRESS PATTERNS With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: user@domain Matches the specified mail address. domain.tld Matches domain.tld as the domain part of an email address. .domain.tld Matches subdomains of domain.tld, but only when the string smtpd_access_maps is not listed in the Postfix par- ent_domain_matches_subdomains configuration setting. user@ Matches all mail addresses with the specified user part. Note: lookup of the null sender address is not possible with some types of lookup table. By default, Postfix uses as the lookup key for such addresses. The value is specified with the smtpd_null_access_lookup_key parameter in the Postfix main.cf file.