Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Permit rejected domains acces

1 view
Skip to first unread message

Chris Jacobs

unread,
Sep 27, 2001, 5:33:37 PM9/27/01
to

I have a problem. I need to allow mail from someone that is blocked by
ORDB. I have setup my files as such:

Mail.cf:

smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_recipient,
check_client_access hash:/etc/postfix/pop-before-smtp, reject_maps_rbl,
check_relay_domains

sender_access = hash:/etc/postfix/sender_access

Send_access:

Eibach-Springs.cust-rtr.pacbell.net OK
eibach.com PERMIT
kmar...@eibach.com PERMIT
216.103.61.214 PERMIT
jc...@eibach.com PERMIT
pacbell.net PERMIT

Excerpt from maillog:

Sep 27 10:51:16 ns1 postfix/smtpd[21611]: connect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:16 ns1 postfix/smtpd[21611]: D1ACA21C073:
client=Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:17 ns1 postfix/smtpd[21611]: reject: RCPT from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]: 554 Service
unavailable; [216.103.61.214] blocked using relays.ordb.org, reason:
Blackholed by ORDB -- see http://ordb.org/lookup/?host=216.103.61.214;
from= to=
Sep 27 10:51:22 ns1 postfix/smtpd[21611]: disconnect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:53 ns1 postfix/smtpd[21612]: connect from
tkdcpuba01.msn.com[207.68.182.213]
Sep 27 10:51:54 ns1 postfix/smtpd[21611]: connect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:58 ns1 postfix/smtpd[21611]: B865F21C485:
client=Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:52:02 ns1 postfix/smtpd[21611]: reject: RCPT from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]: 554 Service
unavailable; [216.103.61.214] blocked using relays.ordb.org, reason:
Blackholed by ORDB -- see http://ordb.org/lookup/?host=216.103.61.214;
from= to=
Sep 27 10:52:15 ns1 postfix/smtpd[21611]: disconnect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]

I've search the archives of the maillist to get this far, but I must
still have something wrong. I know the simple answer is to have them fix
the open relay server but that's not a option.

Chris Jacobs


-
To unsubscribe, send mail to majo...@postfix.org with content
(not subject): unsubscribe postfix-users

Michael Tokarev

unread,
Sep 27, 2001, 7:25:31 PM9/27/01
to
Chris Jacobs wrote:
>
> I have a problem. I need to allow mail from someone that is blocked by
> ORDB. I have setup my files as such:
>
> Mail.cf:
>
> smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
> hash:/etc/postfix/sender_access, reject_non_fqdn_recipient,
> check_client_access hash:/etc/postfix/pop-before-smtp, reject_maps_rbl,
> check_relay_domains
>
> sender_access = hash:/etc/postfix/sender_access
>
> Send_access:
>
> Eibach-Springs.cust-rtr.pacbell.net OK
useless: pacbell.net will be used anyway.
> eibach.com PERMIT
> kmar...@eibach.com PERMIT
useless: eibach.com already here.
> 216.103.61.214 PERMIT
this is *sender* -- do you expect sender address to be
some...@216.103.61.214? Such a form is incorrect,
it at best can be written as something@[216.103.61.214]
(note the []).
> jc...@eibach.com PERMIT
> pacbell.net PERMIT

A gold rule:

NEVER RELAX YOUR RESTRICTIONS BASED ON SENDER ADDRESS

sender address can be forged very easy. *Very* -- it is
a matter of changing one field in settings of your mail
reader at the end.

What you restrictions now says is:

if a client isn't in your networks (a remote, from any
place on internet), and sender address is within pacbell.net
domain (rather big domain, is it?), then PERMIT sending
mail TO ANY ADDRESS. This way, you'll yourself end in ordb.org!

For this particular case, simplest way is to change PERMIT
to e.g. check_relay_domains in send_access file. But I'd
recommend using client address instead -- after all, client's
IP address is what found in ordb. Again, use check_relay_domains
instead of PERMIT rhs here too.

> Excerpt from maillog:
>
> Sep 27 10:51:16 ns1 postfix/smtpd[21611]: connect from
> Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
> Sep 27 10:51:16 ns1 postfix/smtpd[21611]: D1ACA21C073:
> client=Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
> Sep 27 10:51:17 ns1 postfix/smtpd[21611]: reject: RCPT from
> Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]: 554 Service
> unavailable; [216.103.61.214] blocked using relays.ordb.org, reason:
> Blackholed by ORDB -- see http://ordb.org/lookup/?host=216.103.61.214;
> from= to=

Where is from ? As long as you permit based on SENDER (from),
*from* is most important, and this info you deleted -- how very
useful! ;) I'm pretty shure that from address was NOT end on
pacbell.net or eibach.com, it was something different.

[]


> I've search the archives of the maillist to get this far, but I must
> still have something wrong. I know the simple answer is to have them fix
> the open relay server but that's not a option.

How very good... This last statement is a nonsence. Let's everyone
reject mail from them, until them realized that *the only* option is
to fix their server! Good luck to them with such understanding and
position...

Regards,
Michael.

Sven Michels

unread,
Sep 28, 2001, 4:32:42 AM9/28/01
to
Chris Jacobs wrote:

> I have a problem. I need to allow mail from someone that is blocked by
> ORDB. I have setup my files as such:
>
> Mail.cf:
>
> smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
> hash:/etc/postfix/sender_access, reject_non_fqdn_recipient,
> check_client_access hash:/etc/postfix/pop-before-smtp, reject_maps_rbl,
> check_relay_domains

uhm, not really good because you allow your 'mynetworks' do send
mail to maybe unexistant domains... try:
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
check_recipient_access
hash:/etc/postfix/recipient_access_extern,
check_client_access
hash:/etc/postfix/client_access_maps,
reject_maps_rbl,
reject_unauth_destination,
permit

and add:

mail_from_rbl = check_relay_domains
smtpd_restriction_classes = mail_from_rbl

to the main.cf


in recipient_access_extern:
postmaster mail_from_rbl
abuse mail_from_rbl


in client_access_maps:
rbled_host mail_from_rbl


(i knwo that the mail_from_rbl restriction class is
'useless' because you can write check_relay_domains
instead of mail_from_rbl into the maps, but if you want
to do another checks on rbl hosts, it is the best solution
and you don't need to change your maps later :)

--
intraDAT AG http://www.intradat.com
Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0
D - 60329 Frankfurt am Main Fax: +49 69-25629-256

Chris Jacobs

unread,
Sep 28, 2001, 5:52:08 PM9/28/01
to

I don't know if I didn't explain it right or if I'm just dense,
so I'm going to try again. I have a customer that needs to receive mail
from one of his suppliers that is being blocked by ORDB,(The supplier
has the open relay). This time I'll give more info. Based on what I've
read the tests in main.cf go down until there is a match, and then exits
the test, 1. smtpd_recipient_restrictions 2. smtpd_sender_restrictions
3.smtpd_helo_restrictions, and since I'm not completely sure which test
it would be(thought nunber 2), I put it to check sender_access in all
three.

I summited the info again, somehow the maillog go truncanted,
and all of the main.cf, sorry for the long message.

Now based on what Michael Tokarev said, I have the info in the
sender_access file wrong. What I need is to accept all email sent from
eibach.com to be delivered to my customer. If someone could tell me what
would be the right thing to put there to accept the mail. I also got a
response from Sven Michels but, it seemed to me that it wouldn't work
because it would break "pop-before-smtp",(users couldn't send mail).
Also it seemed to me, that 'mail_from_rbl = check_relay_domains' just
pointed to mydestination and eibach.com wouldn't be there. If I'm just
not getting it, could it be explain a little simpler. I won't be
affended, treat me as a idiot.


Main.cf:

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

always_bcc= mail_...@cjmedia.com

mynetworks = 206.55.155.0/24, 127.0.0.1

smtpd_recipient_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
reject_non_fqdn_recipient,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_maps_rbl,
check_relay_domains

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access,
reject_maps_rbl

smtpd_helo_restrictions =
check_sender_access hash:/etc/postfix/sender_access,
reject_maps_rbl

sender_access = hash:/etc/postfix/sender_access
virtual_maps = hash:/etc/postfix/virtual

transport_maps = hash:/etc/postfix/transport
alias_maps = hash:/etc/postfix/aliases

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks

maps_rbl_domains = relays.ordb.org, inputs.ordb.org
debug_peer_level = 99
debug_peer_list = eibach.com, pacbell.net
debugger_command =
PATH=/usr/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

alias_database = hash:/etc/postfix/aliases

append_at_myorigin = no
#mydestination = /etc/postfix/mydestination
mydestination = aa-equip.com cjmedia.com covenant-rbw.org
deliciousgifts.com dolphinclub.com epiclocations.com goldlineonline.com
gunneradman.com guitarcasesrus.com ibsprinting.com kozaxs.com
medicaldevicesintl.com ns1.cjmedia.com omegaprime.com powerfasteners.com
roomsncovers.com secured-site.net treebark.com usamusicexchange.com
uasnow.com wynnsmdc.com zenco1.com
hopcount_limit = 50


Sender_access:


Maillog:

Sep 27 10:51:16 ns1 postfix/smtpd[21611]: connect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:16 ns1 postfix/smtpd[21611]: D1ACA21C073:
client=Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:17 ns1 postfix/smtpd[21611]: reject: RCPT from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]: 554 Service
unavailable; [216.103.61.214] blocked using relays.ordb.org, reason:
Blackholed by ORDB -- see http://ordb.org/lookup/?host=216.103.61.214;

from=<jc...@eibach.com> to=<je...@goldlineonline.com>
Sep 27 10:51:22 ns1 postfix/smtpd[21611]: disconnect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:51:54 ns1 postfix/smtpd[21611]: connect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]


Sep 27 10:51:58 ns1 postfix/smtpd[21611]: B865F21C485:

client=Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]
Sep 27 10:52:02 ns1 postfix/smtpd[21611]: reject: RCPT from


Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]: 554 Service
unavailable; [216.103.61.214] blocked using relays.ordb.org, reason:
Blackholed by ORDB -- see http://ordb.org/lookup/?host=216.103.61.214;

from=<jc...@eibach.com> to=<je...@goldlineonline.com>


Sep 27 10:52:15 ns1 postfix/smtpd[21611]: disconnect from
Eibach-Springs.cust-rtr.pacbell.net[216.103.61.214]


-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Tokarev
Sent: Thursday, September 27, 2001 4:25 PM
To: Chris Jacobs
Cc: postfi...@postfix.org
Subject: Re: Permit rejected domains acces


Chris Jacobs wrote:
>
> I have a problem. I need to allow mail from someone that is blocked by

> ORDB. I have setup my files as such:
>
> Mail.cf:
>
> smtpd_recipient_restrictions = permit_mynetworks, check_sender_access
> hash:/etc/postfix/sender_access, reject_non_fqdn_recipient,
> check_client_access hash:/etc/postfix/pop-before-smtp,
> reject_maps_rbl, check_relay_domains
>

A gold rule:

Regards,
Michael.

Nick Simicich

unread,
Sep 29, 2001, 6:15:43 AM9/29/01
to
Here is my setup. You wanted someone to treat you simply. Just copy my
setup, making minimal changes.

smtpd_helo_required = yes
smtpd_helo_restrictions - empty
smtpd_sender_restrictions - empty

Specify all of your restrictions in smtpd_recipient_restrictions. Don't
ask questions, just do it.

What matters is the order in which things happen. So you do permits before
restricts. First you allow networks you will always
allow. check_recipient_access allows you to do different lists of
restrictions for different people. Finally you do your permit_mx_backup
and check_relay_domains.

smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,
check_recipient_access pcre:/etc/postfix/recipients,
permit_mx_backup,
check_relay_domains

Like I said, check_recipient_access allows you to use different lists of
restrictions by address. All of the things we do to check and bounce mail
happens in the special restriction classes which are selected per userid.

permit_sasl_authenticated is optional if you use sasl

smtpd_restriction_classes =
permissive,
specialcustomer,
restrictive

We have three classes - a permissive one for postmaster and abuse, a
special one for just the whacky user who insists on getting some spam, and
the normal class for everything else.

restrictive =
check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
reject_maps_rbl, reject_unknown_client,
reject_invalid_hostname, reject_unknown_hostname,
reject_unknown_sender_domain,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unauth_pipelining

Our normal case is to check some exceptions by helo message, then process
the rbl, then to check the reverse resolution of the client, then do all of
the other checks.

specialcustomer =
check_sender_access
pcre:/etc/postfix/allow_specialcustomer_some_senders,
check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
reject_maps_rbl, reject_unknown_client,
reject_invalid_hostname, reject_unknown_hostname,
reject_unknown_sender_domain,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unauth_pipelining

For out special customer, the first thing we do is check the RFC821 senders
against the exception lists, then our regular list of filtering and
checks. The point is that this happens in order - if they match the
sender_access and the sender_access says OK, then we will never check the rbl.


permissive =
check_helo_access pcre:/etc/postfix/allow_broken_bad_helo_hosts,
reject_non_fqdn_recipient

This is what we do for abuse and postmaster - as long as they tell us
exactly which postmaster or abuse they want, we will accept the mail. We
do still check_relay_domains and allow_mynetworks, so that we do not relay
for people who want us to send to postmaster anywhere.

/etc/postfix/recipients gets the following:

[root@parrot root]# cat /etc/postfix/recipients
/^postmaster\@.*$/ permissive
/^abuse\@.*$/ permissive
/^specialcustomer\@customerdomain.com$/ specialcustomer
/^.*$/ restrictive
[root@parrot root]#

[root@parrot root]# cat /etc/postfix/allow_specialcustomer_some_senders
/^exception1\@exception1domain\.com$/ OK
/^exception2\@exception2domain\.com$/ OK
[root@parrot root]#

[root@parrot root]# cat /etc/postfix/allow_broken_bad_helo_hosts
# Allow hosts that claim to be issue helo messages but are RFC Ignorant
and important
# enough that I do not want to just bounce their mail
/\.stupid-isp\.net$/ OK
/^baddomain\.in\.aol\.com$/ OK
/\.broken\.edu$/ OK
[root@parrot root]#

If you follow this cookbook, do exactly what I do here, I think this is
everything you need to do. This actually works for me, I changed the names
to protect the innocent. If you do the regexps in
allow_specialcustomer_some_senders so that they do not pay attention to the
localpart, you can allow whole domains in just for that customer.

Is this clear? Just do everything in smtpd_recipient_restrictions. A verb
that performs a certain check on a helo message will always perform that
check on the helo message no matter which list it is specified in,
specifying it in more than one place is a waste.

Until you get this right, specify
soft_bounce = yes

and

notify_classes = policy,protocol

which will not push back 5xx return codes and will send postmaster e-mail
when something bounces either from policy or because they are clueless.

--
We often hear of war described as if it were some kind of impersonal
affliction, such as the Black Plague or famine.The fact is that war is not
just something that happens, it is something that people make happen, and
they make it happen for reasons. As Clausewitz said, war is the continuation
of politics by other means. Exactly. War is neither a hurricane nor a flood.
It is, on the contrary, the cutting edge of ideology.
-- Jeff Cooper
Nick Simicich - n...@scifi.squawk.com - http://scifi.squawk.com/njs.html

Ralf Hildebrandt

unread,
Sep 29, 2001, 6:17:01 AM9/29/01
to
On 28 Sep 2001 23:51:49 +0200, Chris Jacobs <ch...@cjmedia.com> wrote:
>
> I don't know if I didn't explain it right or if I'm just dense,
> so I'm going to try again. I have a customer that needs to receive mail
> from one of his suppliers that is being blocked by ORDB,(The supplier
> has the open relay).


Make an exception for their IP.

> read the tests in main.cf go down until there is a match, and then exits
> the test,

Correct.

> 1. smtpd_recipient_restrictions 2. smtpd_sender_restrictions
> 3.smtpd_helo_restrictions, and since I'm not completely sure which test
> it would be(thought nunber 2), I put it to check sender_access in all
> three.

Put all restrictions into smtpd_recipient_restrictions since they're
evauated there anyway.
Have a look at:
http://www.arschkrebs.de/postfix/mailhub.shtml
for a working example of UCE restrictions that allow arbitrary
exceptions.

> smtpd_recipient_restrictions =
> permit_mynetworks,
> check_sender_access hash:/etc/postfix/sender_access,
> reject_non_fqdn_recipient,
> check_client_access hash:/etc/postfix/pop-before-smtp,
> reject_maps_rbl,
> check_relay_domains
>
> smtpd_sender_restrictions =
> check_sender_access hash:/etc/postfix/sender_access,
> reject_maps_rbl
>
> smtpd_helo_restrictions =
> check_sender_access hash:/etc/postfix/sender_access,
> reject_maps_rbl

Argh. This is bloody stupid.
Why do you USE THE SAME DB for sender_access in all restrictions? What
is the use of that? Lose it except for the instance in
smtpd_recipient_restrictions.

Why do you use reject_maps_rbl in all restrictions? What
is the use of that? Lose it except for the instance in
smtpd_recipient_restrictions.

Ergo only smtpd_recipient_restrictions remain, the others can be
simplified to

smtpd_sender_restrictions =
smtpd_helo_restrictions =

> sender_access = hash:/etc/postfix/sender_access
What is this?

> Eibach-Springs.cust-rtr.pacbell.net OK
> eibach.com PERMIT
> kmar...@eibach.com PERMIT
> 216.103.61.214 PERMIT
> jc...@eibach.com PERMIT
> pacbell.net PERMIT

PERMIT? Only OK and REJECT and numeric codes are allowed! "man
access"!!!

--
ralf.hil...@innominate.com innominate AG
Technical Consultant Don't be afraid of what you see -
Diplom-Informatiker be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77

0 new messages