Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Creating exceptions to greylisting
193 views
Skip to first unread message
Gerben Wierda
Feb 2, 2013, 11:25:40 AM2/2/13
to
I have set up my smtpd restrictions as follows:
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
Now, when some larger institutions, like Facebook and Amazon try to send mail, it fails. For Amazon, they react to a 4xx error as to a 5xx error, they never try to resend. Facebook presents me with another problem,
Feb 2 16:59:40 vanroodewierda postfix/smtpd[17722]: connect from outmail023.snc4.facebook.com[66.220.144.157]
Feb 2 16:59:41 vanroodewierda postfix/smtpd[17722]: NOQUEUE: reject: RCPT from outmail023.snc4.facebook.com[66.220.144.157]: 450 4.7.1 <face...@masteringarchimate.com>: Recipient address rejected: Service is unavailable; from=<password+k...@facebookmail.com> to=<face...@masteringarchimate.com> proto=ESMTP helo=<mx-out.facebook.com>
Feb 2 16:59:46 vanroodewierda postfix/smtpd[17722]: disconnect from outmail023.snc4.facebook.com[66.220.144.157]
Feb 2 17:06:56 vanroodewierda postfix/smtpd[18015]: connect from outmail016.snc4.facebook.com[66.220.144.150]
Feb 2 17:06:57 vanroodewierda postfix/smtpd[18015]: NOQUEUE: reject: RCPT from outmail016.snc4.facebook.com[66.220.144.150]: 450 4.7.1 <face...@masteringarchimate.com>: Recipient address rejected: Service is unavailable; from=<password+k...@facebookmail.com> to=<face...@masteringarchimate.com> proto=ESMTP helo=<mx-out.facebook.com>
Feb 2 17:07:02 vanroodewierda postfix/smtpd[18015]: disconnect from outmail016.snc4.facebook.com[66.220.144.150]
Every next time the attempt is made, it is made from a different server, so until I have they whole farm of facebook in my DB it will not pass.
So, I need a whitelist. But how?
I tried adding something to client restrictions, but that does not work. I obviously need something in the list of recipient restrictions. How can I tell postfix to accept mail from facebook (above example) or Amazon (in general), preferably with some form of regular expressions?
Thanks,
G
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
Now, when some larger institutions, like Facebook and Amazon try to send mail, it fails. For Amazon, they react to a 4xx error as to a 5xx error, they never try to resend. Facebook presents me with another problem,
Feb 2 16:59:40 vanroodewierda postfix/smtpd[17722]: connect from outmail023.snc4.facebook.com[66.220.144.157]
Feb 2 16:59:41 vanroodewierda postfix/smtpd[17722]: NOQUEUE: reject: RCPT from outmail023.snc4.facebook.com[66.220.144.157]: 450 4.7.1 <face...@masteringarchimate.com>: Recipient address rejected: Service is unavailable; from=<password+k...@facebookmail.com> to=<face...@masteringarchimate.com> proto=ESMTP helo=<mx-out.facebook.com>
Feb 2 16:59:46 vanroodewierda postfix/smtpd[17722]: disconnect from outmail023.snc4.facebook.com[66.220.144.157]
Feb 2 17:06:56 vanroodewierda postfix/smtpd[18015]: connect from outmail016.snc4.facebook.com[66.220.144.150]
Feb 2 17:06:57 vanroodewierda postfix/smtpd[18015]: NOQUEUE: reject: RCPT from outmail016.snc4.facebook.com[66.220.144.150]: 450 4.7.1 <face...@masteringarchimate.com>: Recipient address rejected: Service is unavailable; from=<password+k...@facebookmail.com> to=<face...@masteringarchimate.com> proto=ESMTP helo=<mx-out.facebook.com>
Feb 2 17:07:02 vanroodewierda postfix/smtpd[18015]: disconnect from outmail016.snc4.facebook.com[66.220.144.150]
Every next time the attempt is made, it is made from a different server, so until I have they whole farm of facebook in my DB it will not pass.
So, I need a whitelist. But how?
I tried adding something to client restrictions, but that does not work. I obviously need something in the list of recipient restrictions. How can I tell postfix to accept mail from facebook (above example) or Amazon (in general), preferably with some form of regular expressions?
Thanks,
G
Wietse Venema
Feb 2, 2013, 11:48:11 AM2/2/13
to
Gerben Wierda:
*after* reject_unauth_destination and before the check_policy_service.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_client_access hash:/etc/postfix/client_access
check_policy_service unix:private/policy
/etc/postfix/client_access:
amazon.com permit
...
The reason for having the whitelist after reject_unauth_destination
is that it is safe to use "permit" without becoming an open relay
(to avoid the latter problem, Postfix 2.10 recomments using
smtpd_relay_restrictions for the mail relay policy, and
smtpd_recipient_restrictions for the spam policy).
Wietse
> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy permit
>
To exclude some site from greylist checks, use an access table
>
*after* reject_unauth_destination and before the check_policy_service.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_client_access hash:/etc/postfix/client_access
check_policy_service unix:private/policy
/etc/postfix/client_access:
amazon.com permit
...
The reason for having the whitelist after reject_unauth_destination
is that it is safe to use "permit" without becoming an open relay
(to avoid the latter problem, Postfix 2.10 recomments using
smtpd_relay_restrictions for the mail relay policy, and
smtpd_recipient_restrictions for the spam policy).
Wietse
Gerben Wierda
Feb 2, 2013, 12:10:24 PM2/2/13
to
Dag & Dank Wietse,
Can I do perl regex, e.g.
outmail\d\d\d.snc\d.facebook.com permit
or globbing like
outmail*.snc4*.facebook.com
And secondly, I also get mail I want to leave through where the sender is an operation like messagelabs, but I want to accept only certain senders using messagelabs, e.g. apg.nl or apg-am.nl. So not so much the client but the from, e.g.
@apg.nl permit
how do I do that?
G
Can I do perl regex, e.g.
outmail\d\d\d.snc\d.facebook.com permit
or globbing like
outmail*.snc4*.facebook.com
And secondly, I also get mail I want to leave through where the sender is an operation like messagelabs, but I want to accept only certain senders using messagelabs, e.g. apg.nl or apg-am.nl. So not so much the client but the from, e.g.
@apg.nl permit
how do I do that?
G
John Allen
Feb 2, 2013, 12:51:02 PM2/2/13
to
On 02/02/2013 11:25 AM, Gerben Wierda wrote:
> So, I need a whitelist. But how?
>
If you are using postgrey then you can add something to the white list
> So, I need a whitelist. But how?
>
which can be found in/etc/postgrey (debian).
Might help
John A
Gerben Wierda
Feb 2, 2013, 1:37:41 PM2/2/13
to
Actually, I'm still on
/usr/libexec/postfix/greylist.pl
as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade to a higher version of OS X Server as they were busy crippling it in many respects.
G
/usr/libexec/postfix/greylist.pl
as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade to a higher version of OS X Server as they were busy crippling it in many respects.
G
Reindl Harald
Feb 2, 2013, 1:47:18 PM2/2/13
to
Am 02.02.2013 19:37, schrieb Gerben Wierda:
> Actually, I'm still on
>
> /usr/libexec/postfix/greylist.pl
>
> as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade to a higher version of OS X Server as they were busy crippling it in many respects.
because 10.8 is out? why the hell do people run OSX for a server
and not care having one of the most insecure platforms connected
to the internet AS SERVER????
James Griffin
Feb 2, 2013, 2:36:54 PM2/2/13
to
--> Gerben Wierda <gerben...@rna.nl> [2013-02-02 19:37:41 +0100]:
> Actually, I'm still on /usr/libexec/postfix/greylist.pl
> as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade
> to a higher version of OS X Server as they were busy crippling it
> in many respects.
It's actually very easy to upgrade your Postfix installation by
compiling the source code. I have needed to do it numerous times,
it's worth getting into the habit of upgrading in this way if you're
using internet servers.
You can also use the Macports system. It will provide a way for you
to use the newer Macports Postfix and stop the Apple installed
Postfix using launchctl. It's all automated and practically idiot
proof.
--
Primary Key: 4096R/1D31DC38 2011-12-03
Key Fingerprint: A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
> Actually, I'm still on /usr/libexec/postfix/greylist.pl
> as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade
> to a higher version of OS X Server as they were busy crippling it
> in many respects.
compiling the source code. I have needed to do it numerous times,
it's worth getting into the habit of upgrading in this way if you're
using internet servers.
You can also use the Macports system. It will provide a way for you
to use the newer Macports Postfix and stop the Apple installed
Postfix using launchctl. It's all automated and practically idiot
proof.
--
Primary Key: 4096R/1D31DC38 2011-12-03
Key Fingerprint: A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
Gerben Wierda
Feb 2, 2013, 2:55:42 PM2/2/13
to
Just so there is no misunderstanding: I am unhappy running an older version that is not updated with security fixes anymore and I had planned to upgrade before now (but not immediately when 10.8 came out as 10.8.0 Server was not what you say trustworthy. I skipped 10.7 server altogether because it is a disaster area.
I plan to upgrade asap to 10.8 server.
For now, I came up with:
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/whitelist_mtaclientdomains reject_rbl_client zen.spamhaus.org permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist_mtaclientdomains check_policy_service unix:private/policy permit
Which makes sure some clients are permitted before they end up in either RBL or Policy. Just for you more experienced people: is this OK?
Does macports overwrite what Apple has provided or does it have its own separate tree (like fink used to have, which means you get another job that is: keeping the second tree up to date)?
G
I plan to upgrade asap to 10.8 server.
For now, I came up with:
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/whitelist_mtaclientdomains reject_rbl_client zen.spamhaus.org permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist_mtaclientdomains check_policy_service unix:private/policy permit
Which makes sure some clients are permitted before they end up in either RBL or Policy. Just for you more experienced people: is this OK?
Does macports overwrite what Apple has provided or does it have its own separate tree (like fink used to have, which means you get another job that is: keeping the second tree up to date)?
G
Stan Hoeppner
Feb 2, 2013, 4:08:02 PM2/2/13
to
On 2/2/2013 11:10 AM, Gerben Wierda wrote:
> Dag & Dank Wietse,
>
> Can I do perl regex, e.g.
>
> outmail\d\d\d.snc\d.facebook.com permit
>
> or globbing like
>
> outmail*.snc4*.facebook.com
-> check_client_access pcre:/etc/postfix/client_access
> Dag & Dank Wietse,
>
> Can I do perl regex, e.g.
>
> outmail\d\d\d.snc\d.facebook.com permit
>
> or globbing like
>
> outmail*.snc4*.facebook.com
check_policy_service unix:private/policy
/etc/postfix/client_access:
/.*facebook\.com$/ permit
...
You may want to be more specific. I made my example very generic as
your expression above seems to miss some of their outbound host rdns,
such as: outappmail004.snc4.facebook.com
> And secondly, I also get mail I want to leave through where the sender is an operation like messagelabs, but I want to accept only certain senders using messagelabs, e.g. apg.nl or apg-am.nl. So not so much the client but the from, e.g.
>
> @apg.nl permit
>
> how do I do that?
FROM, then check_sender_access is what you want:
http://www.postfix.org/postconf.5.html#check_sender_access
So in the example above, directly after check_client_access, you'd have:
check_sender_access pcre:/etc/postfix/sender_access
and a file with expressions something like:
/etc/postfix/sender_access
/.*@apg\.nl$/ permit
...
--
Stan
Stan Hoeppner
Feb 2, 2013, 4:34:30 PM2/2/13
to
On 2/2/2013 1:55 PM, Gerben Wierda wrote:
> Just so there is no misunderstanding: I am unhappy running an older version that is not updated with security fixes anymore and I had planned to upgrade before now (but not immediately when 10.8 came out as 10.8.0 Server was not what you say trustworthy. I skipped 10.7 server altogether because it is a disaster area.
>
> I plan to upgrade asap to 10.8 server.
>
> For now, I came up with:
>
> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/whitelist_mtaclientdomains reject_rbl_client zen.spamhaus.org permit
> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist_mtaclientdomains check_policy_service unix:private/policy permit
That's awfully difficult to read. Try putting each on its own line as
> Just so there is no misunderstanding: I am unhappy running an older version that is not updated with security fixes anymore and I had planned to upgrade before now (but not immediately when 10.8 came out as 10.8.0 Server was not what you say trustworthy. I skipped 10.7 server altogether because it is a disaster area.
>
> I plan to upgrade asap to 10.8 server.
>
> For now, I came up with:
>
> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/whitelist_mtaclientdomains reject_rbl_client zen.spamhaus.org permit
> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_client_access hash:/etc/postfix/whitelist_mtaclientdomains check_policy_service unix:private/policy permit
in the examples we've given you. Also, put everything under
smtpd_recipient_restrictions
and eliminate smtpd_client_restrictions altogether. Now you no longer
have to duplicate restrictions between them. More importantly, you have
fine grained control over evaluation order. Thus, this would be much
better:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_client_access pcre:/etc/postfix/client_access
check_sender_access pcre:/etc/postfix/sender_access
reject_rbl_client zen.spamhaus.org
check_policy_service unix:private/policy
...
/etc/postfix/client_access:
/.*facebook\.com$/ permit
...
/etc/postfix/sender_access
/.*@apg\.nl$/ permit
...
/.*@apg\.nl$/ permit
...
> Which makes sure some clients are permitted before they end up in either RBL or Policy. Just for you more experienced people: is this OK?
When using separate client and recipient restrictions, as you have
above, your rbl check against Zen can trigger before your whitelist
checks, causing a rejection. Using the method I've detailed above
avoids this situation. Because Postfix performs delayed rejection by
default, you can put all of your restrictions under
smtpd_recipient_restrictions and carefully control the order of
restriction evaluations. I'd guess that every experienced OP on this
list does it this way. It just doesn't make any sense to do otherwise.
> Does macports overwrite what Apple has provided or does it have its own separate tree (like fink used to have, which means you get another job that is: keeping the second tree up to date)?
--
Stan
Viktor Dukhovni
Feb 2, 2013, 4:50:11 PM2/2/13
to
On Sat, Feb 02, 2013 at 03:34:30PM -0600, Stan Hoeppner wrote:
> check_client_access pcre:/etc/postfix/client_access
replace:
/.*facebook\.com$/ permit
with
/\.facebook\.com$/ permit
since "notfacebook.com" is not "facebook.com" and any SMTP client
in the real facebook.com domain would be a proper sub-domain.
The second issue is not easy to fix, transient DNS lookup errors
(timeouts, ...) may result in a client hostname of "unknown" rather
than <mumble>.facebook.com. In such cases the whitelist entry will
not apply. Generally this is a problem as messages may be erroneously
rejected due to a transient error. In this case, provided the whitelist
entry is solely to avoid greylisting, this is OK, since greylisting
is responds with temporary (4XX) error codes.
--
Viktor.
> check_client_access pcre:/etc/postfix/client_access
> ...
>
> /etc/postfix/client_access:
> /.*facebook\.com$/ permit
This is not robust for two reasons, the first is a simple oversight,
>
> /etc/postfix/client_access:
> /.*facebook\.com$/ permit
replace:
/.*facebook\.com$/ permit
with
/\.facebook\.com$/ permit
since "notfacebook.com" is not "facebook.com" and any SMTP client
in the real facebook.com domain would be a proper sub-domain.
The second issue is not easy to fix, transient DNS lookup errors
(timeouts, ...) may result in a client hostname of "unknown" rather
than <mumble>.facebook.com. In such cases the whitelist entry will
not apply. Generally this is a problem as messages may be erroneously
rejected due to a transient error. In this case, provided the whitelist
entry is solely to avoid greylisting, this is OK, since greylisting
is responds with temporary (4XX) error codes.
--
Viktor.
Stan Hoeppner
Feb 2, 2013, 5:31:11 PM2/2/13
to
On 2/2/2013 3:50 PM, Viktor Dukhovni wrote:
> On Sat, Feb 02, 2013 at 03:34:30PM -0600, Stan Hoeppner wrote:
>
>> check_client_access pcre:/etc/postfix/client_access
>> ...
>>
>> /etc/postfix/client_access:
>> /.*facebook\.com$/ permit
>
> This is not robust for two reasons, the first is a simple oversight,
> replace:
It wasn't intended to be robust Viktor, but quite the opposite.
> On Sat, Feb 02, 2013 at 03:34:30PM -0600, Stan Hoeppner wrote:
>
>> check_client_access pcre:/etc/postfix/client_access
>> ...
>>
>> /etc/postfix/client_access:
>> /.*facebook\.com$/ permit
>
> This is not robust for two reasons, the first is a simple oversight,
> replace:
> /.*facebook\.com$/ permit
>
> with
>
> /\.facebook\.com$/ permit
>
> since "notfacebook.com" is not "facebook.com" and any SMTP client
> in the real facebook.com domain would be a proper sub-domain.
On 2/2/2013 3:08 PM, Stan Hoeppner wrote:
> You may want to be more specific. I made my example very generic as
> your expression above seems to miss some of their outbound host rdns,
> such as: outappmail004.snc4.facebook.com
rotten one, so as to teach him to pick his own fresh apples from the
tree. I.e. I gave him a rotten example of a regex hoping/assuming he'd
do some legwork and create his own set of fully qualified expressions to
meet his needs.
--
Stan
James Griffin
Feb 3, 2013, 7:22:27 AM2/3/13
to
--> Gerben Wierda <gerben...@rna.nl> [2013-02-02 20:55:42 +0100]:
> Just so there is no misunderstanding: I am unhappy running an
> older version that is not updated with security fixes anymore and
> I had planned to upgrade before now (but not immediately when 10.8
> came out as 10.8.0 Server was not what you say trustworthy. I skipped
> 10.7 server altogether because it is a disaster area. I plan
> to upgrade asap to 10.8 server.
Sure, I can understand that.
> Does macports overwrite what Apple has provided or does it have
it does use its own separate filesystem as Fink does; it's under
/opt/local. However, they do specify that have programs installed
in /usr/local (i.e. manually installed or otherwise) causes issues
when using Macports. Totally OT, sorry about that.
It does provide you a way of keeping installed programs up-to-date
which is why I suggested it. You simply use launctl/Launchd to
select which MTA you use; i.e. the Macports installed version or
the Apple preinstalled version.
> Just so there is no misunderstanding: I am unhappy running an
> older version that is not updated with security fixes anymore and
> I had planned to upgrade before now (but not immediately when 10.8
> came out as 10.8.0 Server was not what you say trustworthy. I skipped
> 10.7 server altogether because it is a disaster area. I plan
> to upgrade asap to 10.8 server.
> Does macports overwrite what Apple has provided or does it have
> ts own separate tree (like fink used to have, which means you get
> another job that is: keeping the second tree up to date)?
No, Macports does not overwrite what Apple has installed and yes,
> another job that is: keeping the second tree up to date)?
it does use its own separate filesystem as Fink does; it's under
/opt/local. However, they do specify that have programs installed
in /usr/local (i.e. manually installed or otherwise) causes issues
when using Macports. Totally OT, sorry about that.
It does provide you a way of keeping installed programs up-to-date
which is why I suggested it. You simply use launctl/Launchd to
select which MTA you use; i.e. the Macports installed version or
the Apple preinstalled version.
0 new messages