Prev: why no configure script?
Next: On the subject of "errors from unknown ..."
From: Bill Gee on 4 Aug 2010 19:01
Hello everyone -

I have my Postfix server set up to reject mail from servers which are unknown
in DNS. Normally that is a good thing, but every now and then I run across
one that I want to accept mail from.

I have tried several ways to set up the exceptions in Postfix, but so far it is
not working. What rule is causing the rejection? I've tried changing all of
the rules I list below, but no luck.

I may have two problems here. The listings below show two servers that are
being denied. The maillog entries are slightly different. I may have two
different rules to change.

This is Postfix 2.3.3 running on CentOS 5.5.

Here is a sample entry from maillog:

=============
Jul 25 15:54:53 server2 postfix/smtpd[7338]: NOQUEUE: reject: RCPT from
unknown[212.96.160.162]
: 450 4.7.1 Client host rejected: cannot find your hostname, 212.96.160.162];
from=<therion-bo
unces(a)speleo.sk> to=<bgee(a)campercaver.net> proto=ESMTP
helo=<outsider2.texxar.cz>
Jul 25 15:54:55 server2 postfix/smtpd[7338]: lost connection after RSET from
unknown[212.96.160.162]
Jul 25 15:54:55 server2 postfix/smtpd[7338]: disconnect from
unknown[212.96.160.162]

Jul 25 16:15:22 server2 postfix/smtpd[7829]: connect from
unknown[67.213.214.192]
Jul 25 16:15:23 server2 postfix/smtpd[7829]: NOQUEUE: reject: RCPT from
unknown[67.213.214.192]: 450 4.7.1 <vps.zr2usa.com>: Helo command rejected:
Host not found; from=<nobody(a)vps.zr2usa.com> to=<bgee(a)campercaver.net>
proto=ESMTP helo=<vps.zr2usa.com>
Jul 25 16:15:23 server2 postfix/smtpd[7829]: disconnect from
unknown[67.213.214.192]

============

Here are the relevant entries from main.cf:

==============
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
reject_unknown_client_hostname

smtpd_require_helo = yes
smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access hash:/etc/postfix/ok-ipaddresses,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
reject_non_fqdn_hostname,
permit

smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/special-senders,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
check_recipient_access hash:/etc/postfix/denied-system-mailboxes,
reject_unauth_destination,
permit
====================

Here is the 'access' file:

==================
zr2usa.com OK
vps.zr2usa.com OK
nobody(a)vps.zr2usa.com OK
kevin(a)vps.zr2usa.com OK
67.213.214.192 OK
212.96.160.162 OK
================

Here is the special-senders file:

================
75.144.158.125 OK
..onsetcomp.com OK
65.55.90.161 OK
..snt0.hotmail.com OK
67.213.214.192 OK
212.96.160.162 OK
===============

And finally, the ok-ipaddresses file:

===============
65.55.90.161 OK
..snt0.hotmail.com OK
65.55.90.175 OK
67.213.214.192 OK
212.96.160.162 OK
===============

Thanks - Bill Gee

From: Walter Pinto on 4 Aug 2010 19:16
You might need to add these to your ok-ipaddresses file

zr2usa.com OK
vps.zr2usa.com OK
nobody(a)vps.zr2usa.com OK
kevin(a)vps.zr2usa.com OK
67.213.214.192 OK
212.96.160.162 OK

It looks like its rejecting the HELO

From: Noel Jones on 5 Aug 2010 12:02
On 8/4/2010 6:01 PM, Bill Gee wrote:
> Hello everyone -
>
> I have my Postfix server set up to reject mail from servers which are unknown
> in DNS. Normally that is a good thing, but every now and then I run across
> one that I want to accept mail from.
>
> I have tried several ways to set up the exceptions in Postfix, but so far it is
> not working. What rule is causing the rejection? I've tried changing all of
> the rules I list below, but no luck.
>
> I may have two problems here. The listings below show two servers that are
> being denied. The maillog entries are slightly different. I may have two
> different rules to change.
>
> This is Postfix 2.3.3 running on CentOS 5.5.
>
> Here is a sample entry from maillog:
>
> =============
> Jul 25 15:54:53 server2 postfix/smtpd[7338]: NOQUEUE: reject: RCPT from
> unknown[212.96.160.162]
> : 450 4.7.1 Client host rejected: cannot find your hostname, 212.96.160.162];
> from=<therion-bo

This was rejected by reject_unknown_client_hostname

> unces(a)speleo.sk> to=<bgee(a)campercaver.net> proto=ESMTP
> helo=<outsider2.texxar.cz>
> Jul 25 15:54:55 server2 postfix/smtpd[7338]: lost connection after RSET from
> unknown[212.96.160.162]
> Jul 25 15:54:55 server2 postfix/smtpd[7338]: disconnect from
> unknown[212.96.160.162]
>
> Jul 25 16:15:22 server2 postfix/smtpd[7829]: connect from
> unknown[67.213.214.192]
> Jul 25 16:15:23 server2 postfix/smtpd[7829]: NOQUEUE: reject: RCPT from
> unknown[67.213.214.192]: 450 4.7.1<vps.zr2usa.com>: Helo command rejected:
> Host not found; from=<nobody(a)vps.zr2usa.com> to=<bgee(a)campercaver.net>
> proto=ESMTP helo=<vps.zr2usa.com>

This was rejected by reject_unknown_helo_hostname


> Jul 25 16:15:23 server2 postfix/smtpd[7829]: disconnect from
> unknown[67.213.214.192]
>
> ============
>
> Here are the relevant entries from main.cf:
>
> ==============
> smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
> reject_unknown_client_hostname

This access table will whitelist the specified clients from
reject_unknown_client_hostname, but the client can still be
rejected by checks in other smtpd_*_restrictions sections.


>
> smtpd_require_helo = yes
> smtpd_helo_required = yes
>
> smtpd_helo_restrictions = permit_mynetworks,
> check_helo_access hash:/etc/postfix/ok-ipaddresses,

The ok-ipaddresses will check the HELO name the client gives,
which should never be an IP address. This table probably
doesn't really whitelist anything.

> reject_invalid_helo_hostname,
> reject_unknown_helo_hostname,
> reject_non_fqdn_hostname,
> permit
>
> smtpd_recipient_restrictions = check_recipient_access
> hash:/etc/postfix/special-senders,

The special-senders file checks the recipient name. You're an
open relay to any address listed in this file. Fortunately,
IP addresses don't match, and names with leading dots ie.
".foo.example.com" won't match unless you've changed the
default value of parent_domain_matches_subdomains.

This table isn't matching anything, which is probably a good
thing.


> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> check_recipient_access hash:/etc/postfix/denied-system-mailboxes,
> reject_unauth_destination,
> permit
> ====================
>
> Here is the 'access' file:
>
> ==================
> zr2usa.com OK
> vps.zr2usa.com OK

client names are OK. This must be the client hostname and not
necessarily the email domain name.

> nobody(a)vps.zr2usa.com OK
> kevin(a)vps.zr2usa.com OK

email addresses will never match a check_client_access lookup.

> 67.213.214.192 OK
> 212.96.160.162 OK

IP addresses are OK

> ================
>
> Here is the special-senders file:
>
> ================
> 75.144.158.125 OK

IPs are never matched in a check_recipient_access table.

> .onsetcomp.com OK

Domains with leading dots are not matched unless you change
parent_domain_matches_subdomains.

> 65.55.90.161 OK
> .snt0.hotmail.com OK
> 67.213.214.192 OK
> 212.96.160.162 OK

Nothing matches here.

> ===============
>
> And finally, the ok-ipaddresses file:
>

This file is used with check_helo_access. IPs and names with
leading dots will never be matched.

> ===============
> 65.55.90.161 OK
> .snt0.hotmail.com OK
> 65.55.90.175 OK
> 67.213.214.192 OK
> 212.96.160.162 OK
> ===============
>
> Thanks - Bill Gee


You should remove your smtpd_client_restrictions and
smtpd_helo_restrictions (and smtpd_sender_restrictions if
you're using it) and put everything under smtpd_recipient
restrictions arranged like so:

smtpd_recipient_restrictions =
# allow local access
permit_mynetworks
# reject relay attempts
reject_unauth_destination
# client whitelist. Whitelist CLIENTS here. A client
# can be an IP or a domain name without leading dots.
check_client_access hash:/etc/postfix/client_whitelist
# local recipient blacklist
check_recipient_access
hash:/etc/postfix/denied-system-mailboxes
# all anti-spam restrictions go below here
...



-- Noel Jones

From: Walter Pinto on 5 Aug 2010 14:30
Thanks Noel, this information has helped me as well.

From: Noel Jones on 5 Aug 2010 15:58
On 8/5/2010 2:20 PM, Adam Lanier wrote:
> On Thu, 2010-08-05 at 11:02 -0500, Noel Jones wrote:
>>
>> You should remove your smtpd_client_restrictions and
>> smtpd_helo_restrictions (and smtpd_sender_restrictions if
>> you're using it) and put everything under smtpd_recipient
>> restrictions arranged like so:
>>
>> smtpd_recipient_restrictions =
>> # allow local access
>> permit_mynetworks
>> # reject relay attempts
>> reject_unauth_destination
>> # client whitelist. Whitelist CLIENTS here. A client
>> # can be an IP or a domain name without leading dots.
>> check_client_access hash:/etc/postfix/client_whitelist
>> # local recipient blacklist
>> check_recipient_access
>> hash:/etc/postfix/denied-system-mailboxes
>> # all anti-spam restrictions go below here
>
> Not to hijack this thread but can I ask a question regarding your
> comment above? You recommend keeping all client/helo restriction in the
> smtpd_sender_restrictions.


smtpd_recipient_restrictions is what I wrote.


>
> Is there any use case where the
> smtpd_client_restrictions/smtpd_helo_restrictions would be preferred
> over smtpd_sender_restrictions? If not, why are they there?

It's easier to put everything in smtpd_recipient_restrictions,
especially for non-expert users.

When you get into more complex rules -- something like permit
only if A AND if B -- you may be able to do some things
without resorting to restriction classes or a policy service.
But these applications are fairly rare.

>
> I understand that with smtpd_delay_reject, evaluation of the status for
> client/helo/sender restrictions will not happen until the RCPT TO
> command anyway. If you had checks in smtpd_client_restrictions wouldn't
> they still be evaulated prior to checks in smtpd_recipient_restrictions?

This is more about helping the admin understand what postfix
is doing rather than micro-managing the flow.

When everything is under smtpd_recipient_restrictions, it's a
simple "first match wins" flow.

>
> What's the advantage of having all checks in
> smtpd_recipient_restrictions?

The biggest advantage occurs when you must use a whitelist.
If you use the multiple smtpd_*_restrictions sections you need
to make sure to use your whitelist in each section and
understand the interaction between the sections.

>
> Sorry, that's more than one question :/
>
>





-- Noel Jones

 |  Next  |  Last
Pages: 1 2
Prev: why no configure script?
Next: On the subject of "errors from unknown ..."