UCE restrictions

Dean Gibson (Mail Administrator)

unread,

Jun 12, 2003, 5:20:32 PM6/12/03

to

Does "smtpd_client_restrictions = check_client_access hash:/etc/postfix/hash/client.map" also check the result of the reverse IP lookup? I'd like to block all mail emanating from videotron.ca IP addresses.

-- Dean

Dean Gibson (Mail Administrator)

unread,

Jun 13, 2003, 6:59:28 PM6/13/03

to

--=====================_677005121==_.ALT
Content-Type: text/plain; charset="us-ascii"

That's what I thought the documentation said. However, here's my client access file (listed in main.cf: "smtpd_client_restrictions = check_client_access hash:/etc/postfix/hash/client.map"):

.videotron.ca 553 Blacklisted 2002-08-22 due to spam

(Someone suggested this should be ".mc.videotron.ca", which I will do soon, but see below.)

Here's a log entry:

Jun 13 08:20:24 fw1 postfix/smtpd[15999]: connect from relais.videotron.ca[24.201.245.36]
Jun 13 08:20:24 fw1 postfix/smtpd[15999]: B2160BBB91: client=relais.videotron.ca[24.201.245.36]
Jun 13 08:20:25 fw1 postfix/smtpd[15999]: reject: RCPT from relais.videotron.ca[24.201.245.36]: 450 <VL-MO-MR001.ip.videotron.ca>: Helo command rejected: Host not found; from=<> to=<postm...@ultimeth.net>
Jun 13 08:20:35 fw1 postfix/smtpd[15999]: disconnect from relais.videotron.ca[24.201.245.36]

My question is, since client restrictions in "smtpd_client_restrictions" are applied before "smtpd_helo_restrictions = reject_invalid_hostname", why is the above being rejected on helo hostname and not on the reverse IP lookup (which points to "videotron.ca") ??? The logs also verify I did a "postfix reload" after the "postmap" on the client access file.

I have not altered "smtpd_delay_reject".

-- Dean

Noel Jones wrote on 2003-06-12 14:30:

>At 02:20 PM 6/12/03 -0700, Dean Gibson (Mail Administrator) wrote:
>>Does "smtpd_client_restrictions = check_client_access hash:/etc/postfix/hash/client.map" also check the result of the reverse IP lookup? I'd like to block all mail emanating from videotron.ca IP addresses.
>>
>>-- Dean
>

>Yes, you may use client names in an access table. However if there is a DNS failure the client will be listed as "unknown" and the check won't work.
>Whenever possible, list clients by IP number.
>
>
>--
>Noel Jones

--=====================_677005121==_.ALT
Content-Type: text/html; charset="us-ascii"

<html>
That's what I thought the documentation said.  However, here's my
client access file (listed in main.cf: "smtpd_client_restrictions =
check_client_access hash:/etc/postfix/hash/client.map"): 
<tt>.videotron.ca          
553 Blacklisted 2002-08-22 due to spam 
</tt>(Someone suggested this should be ".mc.videotron.ca",
which I will do soon, but see below.) 
Here's a log entry: 
<tt>Jun 13 08:20:24 fw1 postfix/smtpd[15999]: connect from
relais.videotron.ca[24.201.245.36] 
Jun 13 08:20:24 fw1 postfix/smtpd[15999]: B2160BBB91:
client=relais.videotron.ca[24.201.245.36] 
Jun 13 08:20:25 fw1 postfix/smtpd[15999]: reject: RCPT from
relais.videotron.ca[24.201.245.36]: 450
<VL-MO-MR001.ip.videotron.ca>: Helo command rejected: Host not
found; from=<> to=<postm...@ultimeth.net> 
Jun 13 08:20:35 fw1 postfix/smtpd[15999]: disconnect from
relais.videotron.ca[24.201.245.36] 
</tt>My question is, since client restrictions in
"smtpd_client_restrictions" are applied before
"smtpd_helo_restrictions = reject_invalid_hostname", why is the
above being rejected on helo hostname and not on the reverse IP lookup
(which points to "videotron.ca") ???  The logs also verify
I did a "postfix reload" after the "postmap" on the
client access file. 
I have not altered "smtpd_delay_reject". 
-- Dean 
Noel Jones wrote on 2003-06-12 14:30: 
<blockquote type=cite class=cite cite>At 02:20 PM 6/12/03 -0700, Dean
Gibson (Mail Administrator) wrote: 
<blockquote type=cite class=cite cite>Does
"smtpd_client_restrictions = check_client_access
hash:/etc/postfix/hash/client.map" also check the result of the
reverse IP lookup?  I'd like to block all mail emanating from
videotron.ca IP addresses. 
-- Dean</blockquote> 
Yes, you may use client names in an access table.  However if there
is a DNS failure the client will be listed as "unknown" and the
check won't work. 
Whenever possible, list clients by IP number. 
 
-- 
Noel Jones </blockquote></html>

--=====================_677005121==_.ALT--

Wietse Venema

unread,

Jun 13, 2003, 8:49:59 PM6/13/03

to

Dean Gibson (Mail Administrator):

> That's what I thought the documentation said. However, here's my client access file (listed in main.cf: "smtpd_client_restrictions = check_client_access hash:/etc/postfix/hash/client.map"):
>
> .videotron.ca 553 Blacklisted 2002-08-22 due to spam

Where does the fine manual say that domains start with . in
Postfix access tables?

Wietse

Dean Gibson (Mail Administrator)

unread,

Jun 13, 2003, 10:43:03 PM6/13/03

to

--=====================_690414854==_.ALT
Content-Type: text/plain; charset="us-ascii"

In the fine MAN page for access (excerpts):

man 5 access

ACCESS(5) ACCESS(5)

NAME
access - format of Postfix access table

...

EMAIL ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, the following lookup patterns are
examined in the order as listed:

user@domain
Matches the specified mail address.

domain.tld
Matches domain.tld as the domain part of an email address.

The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting. Otherwise,
specify .domain.tld (note the initial dot) in order to match
subdomains.

...

HOST NAME/ADDRESS PATTERNS
With lookups from indexed files such as DB or DBM, or from networked
tables such as NIS, LDAP or SQL, the following lookup patterns are
examined in the order as listed:

domain.tld
Matches domain.tld.

The pattern domain.tld also matches subdomains, but only when
the string smtpd_access_maps is listed in the Postfix par-
ent_domain_matches_subdomains configuration setting. Otherwise,
specify .domain.tld (note the initial dot) in order to match
subdomains.

This text is also at http://www.postfix.org/access.5.html

Should I leave off the dot, and specify "parent_domain_matches_subdomains = yes" instead ??

-- Dean

--=====================_690414854==_.ALT
Content-Type: text/html; charset="us-ascii"

<html>
In the fine MAN page for access (excerpts): 
<tt>man 5 access 
ACCESS(5)                                                           
ACCESS(5) 
NAME 
       access - format of Postfix access
table 
... 
EMAIL ADDRESS PATTERNS 
       With lookups from indexed files such
as DB or DBM,  or  from  networked 
       tables  such  as 
NIS,  LDAP  or SQL, the following lookup patterns are 
       examined in the order as
listed: 
       user@domain 
             
Matches the specified mail address. 
       domain.tld 
             
Matches domain.tld as the domain part of an email address. 
             
The pattern domain.tld also matches subdomains,  but 
only  when 
             
the  string  smtpd_access_maps  is  listed 
in  the Postfix par- 
             
ent_domain_matches_subdomains configuration setting. 
Otherwise, 
             
specify  .domain.tld  (note  the  initial dot) in
order to match 
             
subdomains. 
... 
HOST NAME/ADDRESS PATTERNS 
       With  lookups  from 
indexed files such as DB or DBM, or from networked 
       tables such as NIS, LDAP or
SQL,  the  following  lookup  patterns 
are 
       examined in the order as
listed: 
       domain.tld 
             
Matches domain.tld. 
             
The  pattern  domain.tld  also matches subdomains, but
only when 
             
the string smtpd_access_maps  is  listed  in 
the  Postfix  par- 
             
ent_domain_matches_subdomains configuration setting. 
Otherwise, 
             
specify .domain.tld (note the initial dot)  in  order 
to  match 
             
subdomains. 
</tt>This text is also at
<a href="http://www.postfix.org/access.5.html" eudora="autourl">http://www.postfix.org/access.5.html</a> 
Should I leave off the dot, and specify
"parent_domain_matches_subdomains = yes" instead ?? 
-- Dean 
Wietse Venema wrote on 2003-06-13 17:49: 
<blockquote type=cite class=cite cite>Dean Gibson (Mail
Administrator): 
<blockquote type=cite class=cite cite>That's what I thought the
documentation said.  However, here's my client access file (listed

in main.cf: "smtpd_client_restrictions = check_client_access
hash:/etc/postfix/hash/client.map"):

.videotron.ca          

553 Blacklisted 2002-08-22 due to spam</blockquote>

Where does the fine manual say that domains start with . in Postfix

access tables? 
<x-tab>        </x-tab>Wietse</blockquote></html>

--=====================_690414854==_.ALT--

Nicolas Riendeau

unread,

Jun 13, 2003, 11:05:24 PM6/13/03

to

Dean Gibson (Mail Administrator) wrote:

> The pattern domain.tld also matches subdomains, but only when
> the string smtpd_access_maps is listed in the Postfix

> parent_domain_matches_subdomains configuration setting.

>
> Otherwise, specify .domain.tld (note the initial dot) in order to
> match subdomains.
>
> This text is also at http://www.postfix.org/access.5.html
>
> Should I leave off the dot, and specify
> "parent_domain_matches_subdomains = yes" instead ??

Hi!

parent_domain_matches_subdomains is a list which, by default, contains

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,
mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps

I believe that when smtpd_access_maps is listed in parent_domain_matches_subdomains
the dot (".") *has to* be removed...

Have a nice day!

Nick

Nicolas Riendeau

unread,

Jun 13, 2003, 11:13:07 PM6/13/03

to

Hi!

Dean Gibson (Mail Administrator) wrote:

> That's what I thought the documentation said. However, here's my client
> access file (listed in main.cf: "smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/hash/client.map"):
>
> .videotron.ca 553 Blacklisted 2002-08-22 due to spam
>

> (Someone suggested this should be ".mc.videotron.ca", which I will do
> soon, but see below.)

I have a feeling mc stands for "modem cable" (cable modem in French...).

> Here's a log entry:
>
> Jun 13 08:20:24 fw1 postfix/smtpd[15999]: connect from
> relais.videotron.ca[24.201.245.36]
> Jun 13 08:20:24 fw1 postfix/smtpd[15999]: B2160BBB91:
> client=relais.videotron.ca[24.201.245.36]
> Jun 13 08:20:25 fw1 postfix/smtpd[15999]: reject: RCPT from
> relais.videotron.ca[24.201.245.36]: 450 <VL-MO-MR001.ip.videotron.ca>:
> Helo command rejected: Host not found; from=<> to=<postm...@ultimeth.net>

If you use reject_unknown_hostname you will never be able to receive mail from that
ISP's mail servers (there appears to be many servers "sitting" behind the relais.videotron.ca IP)
even if you block only mc.videotron.ca as as they are somewhat misconfigured...

[I believe each of these servers used to have their own IP but for some reason they decided
to put them all behind the same IP (using NAT...).]

Dean Gibson (Mail Administrator)

unread,

Jun 13, 2003, 11:53:36 PM6/13/03

to

AAHHH! Since I never read about "parent_domain_matches_subdomains" (let alone changed it), I didn't realise that the DEFAULT included smtpd_access_maps, which is why the leading dot in the access map is not working !!!

Thanks!

-- Dean

Nicolas Riendeau wrote on 2003-06-13 20:05:
>Dean Gibson (Mail Administrator) wrote:
>