Re: Whitelist a host using check_client_access before the rbl check?
On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote: > Nicolas KOWALSKI wrote: >> On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote: >> A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. >>> P.S. This is if you fully trust and know this host >> >> Yes, I fully trust this host. Actually, it is the mx backup for my home >> server: >> >> $ host petole.dyndns.org >> petole.dyndns.org has address 87.90.240.206 >> petole.dyndns.org mail is handled by 10 demisel.dyndns.org. >> petole.dyndns.org mail is handled by 5 petole.dyndns.org. >> >> Can I use authentication for MX? >> > I would highly recommend setting SASL up on both ends in this case. This > is much more secure and reliable than whitelisting a dynamic host. > See the above link for details. Just to close this thread, we implemented SMTP AUTH over TLS between my server and its secondary MX, and it works perfectly. Thanks for your suggestions, -- Nicolas
Re: Whitelist a host using check_client_access before the rbl check?
Nicolas KOWALSKI wrote: On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote: A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. P.S. This is if you fully trust and know this host Yes, I fully trust this host. Actually, it is the mx backup for my home server: $ host petole.dyndns.org petole.dyndns.org has address 87.90.240.206 petole.dyndns.org mail is handled by 10 demisel.dyndns.org. petole.dyndns.org mail is handled by 5 petole.dyndns.org. Can I use authentication for MX? I would highly recommend setting SASL up on both ends in this case. This is much more secure and reliable than whitelisting a dynamic host. See the above link for details. If you implement this and have problems, please post logs and new 'postconf -n' to this list. Brian
Re: Whitelist a host using check_client_access before the rbl check?
On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote: > Brian Evans - Postfix List wrote: >> Nicolas KOWALSKI wrote: The client said 'EHLO demisel.dyndns.org'. This is the value that check_helo_access can find, though somewhat unreliable to whitelist. >>> >>> I apparently have no other choices to whitelist-before-rbl such a >>> dynamic pool's host. >>> >> A *better* way is force them to Authenticate using SASL. >> >> See http://www.postfix.org/SASL_README.html >> Postfix supports either Cyrus or Dovecot SASL. >> > P.S. This is if you fully trust and know this host Yes, I fully trust this host. Actually, it is the mx backup for my home server: $ host petole.dyndns.org petole.dyndns.org has address 87.90.240.206 petole.dyndns.org mail is handled by 10 demisel.dyndns.org. petole.dyndns.org mail is handled by 5 petole.dyndns.org. Can I use authentication for MX? -- Nicolas
Re: Whitelist a host using check_client_access before the rbl check?
Brian Evans - Postfix List wrote: Nicolas KOWALSKI wrote: The client said 'EHLO demisel.dyndns.org'. This is the value that check_helo_access can find, though somewhat unreliable to whitelist. I apparently have no other choices to whitelist-before-rbl such a dynamic pool's host. Thanks to all, A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. Brian P.S. This is if you fully trust and know this host
Re: Whitelist a host using check_client_access before the rbl check?
Nicolas KOWALSKI wrote: The client said 'EHLO demisel.dyndns.org'. This is the value that check_helo_access can find, though somewhat unreliable to whitelist. I apparently have no other choices to whitelist-before-rbl such a dynamic pool's host. Thanks to all, A *better* way is force them to Authenticate using SASL. See http://www.postfix.org/SASL_README.html Postfix supports either Cyrus or Dovecot SASL. Brian
Re: Whitelist a host using check_client_access before the rbl check?
On Mon, Aug 04, 2008 at 10:56:36AM -0400, Brian Evans - Postfix List wrote: > Nicolas KOWALSKI wrote: >> On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote: >> >>> On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote: >>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; >>> THAT was the client... >>> >>> http://www.spamhaus.org/query/bl?ip=86.68.96.225; >>> from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= >>> THAT was the helo... >>> >>> So, you're trying to whitelist a client using its helo... >>> >> But demisel.dyndns.org (currently) resolves to the above address >> (86.68.96.225) ; why doesn't postfix get it? > This is how it works: > Postfix receives a connect from an IP and does a lookup on that IP. > See what it returns yourself with 'host 86.68.96.225' > > In your case, the client address was 225.96.68-86.rev.gaoland.net (which > is a unqualified RDNS entry for a dynamic pool). > This is the value that check_client_access can find (either name or IP) Ok, I think I get it now. > The client said 'EHLO demisel.dyndns.org'. > This is the value that check_helo_access can find, though somewhat > unreliable to whitelist. I apparently have no other choices to whitelist-before-rbl such a dynamic pool's host. Thanks to all, -- Nicolas
Re: Whitelist a host using check_client_access before the rbl check?
Nicolas KOWALSKI wrote: On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote: Let me give this one a try... I *think* i see the problem... On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote: Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; THAT was the client... http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= THAT was the helo... So, you're trying to whitelist a client using its helo... But demisel.dyndns.org (currently) resolves to the above address (86.68.96.225) ; why doesn't postfix get it? This is how it works: Postfix receives a connect from an IP and does a lookup on that IP. See what it returns yourself with 'host 86.68.96.225' In your case, the client address was 225.96.68-86.rev.gaoland.net (which is a unqualified RDNS entry for a dynamic pool). This is the value that check_client_access can find (either name or IP) The client said 'EHLO demisel.dyndns.org'. This is the value that check_helo_access can find, though somewhat unreliable to whitelist. Brian
Re: Whitelist a host using check_client_access before the rbl check?
On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote: > Let me give this one a try... I *think* i see the problem... > > On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote: >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service >> unavailable; Client host [86.68.96.225] blocked using >> zen.spamhaus.org; > > THAT was the client... > > http://www.spamhaus.org/query/bl?ip=86.68.96.225; >> from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> >> proto=ESMTP helo= > > THAT was the helo... > > So, you're trying to whitelist a client using its helo... But demisel.dyndns.org (currently) resolves to the above address (86.68.96.225) ; why doesn't postfix get it? -- Nicolas
Re: Whitelist a host using check_client_access before the rbl check?
Stan Hoeppner wrote: Hello Nicolas, Try this: Remove 'check_client_access hash:/etc/postfix/client_access' from smtpd_recipient_restrictions. Add the following line in main.cf somewhere before/above smtpd_recipient_restrictions: smtpd_client_restrictions = hash:/etc/postfix/client_access And make sure you 'postmap /etc/postfix/client_access' any time you make changes to the file. And obviously, 'postfix reload' whenever you make changes to main.cf. This will not fix the OP's issue because client_restrictions occur before recipient_restrictions. This also does not deny any hosts with the line you posted above so it's really worthless, due to the implied permit at the end of the client_restrictions. Since the check fails in recipient_restrictions, an exception must be placed before the rbl_check there. As Charles already pointed out, he was simply using the wrong check, even though a HELO whitelist is somewhat dangerous to trust (easily forged). Brian Hope this helps. Stan Nicolas KOWALSKI wrote: Hello, I would like to whitelist a specific host, because it is currently listed in the zen rbl, but I am unable to do so. Here is a sample log of the rejected host connecting to my postfix: Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225] - I added the following line (full postconf -n below) to the smtpd_recipient_restrictions, before the rbl check: check_client_access hash:/etc/postfix/client_access - /etc/postfix/client_access contains: demisel.dyndns.org OK - the full configuration:
Re: Whitelist a host using check_client_access before the rbl check?
Hello Nicolas, Try this: Remove 'check_client_access hash:/etc/postfix/client_access' from smtpd_recipient_restrictions. Add the following line in main.cf somewhere before/above smtpd_recipient_restrictions: smtpd_client_restrictions = hash:/etc/postfix/client_access And make sure you 'postmap /etc/postfix/client_access' any time you make changes to the file. And obviously, 'postfix reload' whenever you make changes to main.cf. Hope this helps. Stan Nicolas KOWALSKI wrote: Hello, I would like to whitelist a specific host, because it is currently listed in the zen rbl, but I am unable to do so. Here is a sample log of the rejected host connecting to my postfix: Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225] - I added the following line (full postconf -n below) to the smtpd_recipient_restrictions, before the rbl check: check_client_access hash:/etc/postfix/client_access - /etc/postfix/client_access contains: demisel.dyndns.org OK - the full configuration: petole:~# postconf -n alias_maps = hash:/etc/aliases append_dot_mydomain = no config_directory = /etc/postfix disable_mime_output_conversion = yes header_checks = regexp:/etc/postfix/header_checks inet_protocols = all local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps mailbox_size_limit = 0 mailbox_transport = cyrus maximal_queue_lifetime = 60d message_size_limit = 0 mydestination = localhost, localhost.localdomain, petole, petole.lan, petole.dyndns.org, petole.demisel.net mydomain = $myhostname myhostname = petole.dyndns.org relay_domains = demisel.dyndns.org relay_recipient_maps = hash:/etc/postfix/relay_recipients relayhost = [mail.club-internet.fr] smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname,reject_unknown_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, permit smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s Any help would be appreciated, Thanks,
Re: Whitelist a host using check_client_access before the rbl check?
Let me give this one a try... I *think* i see the problem... On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote: Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; THAT was the client... http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= THAT was the helo... So, you're trying to whitelist a client using its helo... Either use a helo access check, or use the right client, but only if you are sure the client won't change (it is, after all, on a dynamic block)... -- Best regards, Charles
Whitelist a host using check_client_access before the rbl check?
Hello, I would like to whitelist a specific host, because it is currently listed in the zen rbl, but I am unable to do so. Here is a sample log of the rejected host connecting to my postfix: Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS connection from 225.96.68-86.rev.gaoland.net[86.68.96.225] Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service unavailable; Client host [86.68.96.225] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from 225.96.68-86.rev.gaoland.net[86.68.96.225] - I added the following line (full postconf -n below) to the smtpd_recipient_restrictions, before the rbl check: check_client_access hash:/etc/postfix/client_access - /etc/postfix/client_access contains: demisel.dyndns.org OK - the full configuration: petole:~# postconf -n alias_maps = hash:/etc/aliases append_dot_mydomain = no config_directory = /etc/postfix disable_mime_output_conversion = yes header_checks = regexp:/etc/postfix/header_checks inet_protocols = all local_recipient_maps = hash:/etc/postfix/local_recipients, $alias_maps mailbox_size_limit = 0 mailbox_transport = cyrus maximal_queue_lifetime = 60d message_size_limit = 0 mydestination = localhost, localhost.localdomain, petole, petole.lan, petole.dyndns.org, petole.demisel.net mydomain = $myhostname myhostname = petole.dyndns.org relay_domains = demisel.dyndns.org relay_recipient_maps = hash:/etc/postfix/relay_recipients relayhost = [mail.club-internet.fr] smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem smtp_tls_loglevel = 1 smtp_tls_security_level = may smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname,reject_unknown_hostname, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, permit smtpd_tls_cert_file = /etc/postfix/ssl/petole-crt.pem smtpd_tls_key_file = /etc/postfix/ssl/petole-key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s Any help would be appreciated, Thanks, -- Nicolas