Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
global postfix sender whitelist
237 views
Skip to first unread message
Вадим Бажов
Jun 11, 2016, 3:51:48 AM6/11/16
to
Hi all.
postfix 2.6, smtpd_delay_reject = yes.
Need to implement a total permissive whitelist for 'big bosses' by ip-adresses, email adresses, email domains.
So i need to use both check_client_access (for IPs whitelistings) and check_sender_access (for emails and domains whitelistings).
Or can i use IP adresses in check_sender_access ?
smtpd_delay_reject delays all checking until RCPT_TO stage but, anyway, all the checkings will made step by step in their original order. (in that order: client, helo, sender, recipient restrictions). Right?
Since permit action in access tables (action OK) doesn't stop checkings for particular email but skips a particular context, i need to insert check_* actions on every stage, at:
Right?
So i end up with following config:
Whats the difference between permit_mynetworks and check_client_access if i need to permit client's IP ?
postfix 2.6, smtpd_delay_reject = yes.
Need to implement a total permissive whitelist for 'big bosses' by ip-adresses, email adresses, email domains.
So i need to use both check_client_access (for IPs whitelistings) and check_sender_access (for emails and domains whitelistings).
Or can i use IP adresses in check_sender_access ?
smtpd_delay_reject delays all checking until RCPT_TO stage but, anyway, all the checkings will made step by step in their original order. (in that order: client, helo, sender, recipient restrictions). Right?
Since permit action in access tables (action OK) doesn't stop checkings for particular email but skips a particular context, i need to insert check_* actions on every stage, at:
smtpd_client_restrictions
smtpd_helo_restrictionssmtpd_sender_restrictionssmtpd_recipient_restrictionsRight?
So i end up with following config:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ip_wl ...
smtpd_helo_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...smtpd_sender_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...
Whats the difference between permit_mynetworks and check_client_access if i need to permit client's IP ?
-- С уважением, Бажов Вадим, Инженер отдела технической поддержки, Компания Айдеко -- Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85 Электронная почта: Вопросы по приобретению: sa...@ideco.ru Технические вопросы: sup...@ideco.ru Партнерство: part...@ideco.ru Общие вопросы: in...@ideco.ru Сайт: http://ideco.ru Форум: http://forum.ideco.ru
Вадим Бажов
Jun 11, 2016, 3:56:52 AM6/11/16
to
Hi all.
postfix 2.6, smtpd_delay_reject = yes.
Need to implement a total permissive whitelist for 'big bosses' by ip-adresses, email adresses, email domains.
So i need to use both check_client_access (for IPs whitelistings) and check_sender_access (for emails and domains whitelistings).
Or can i use IP adresses in check_sender_access ?
smtpd_delay_reject delays all checking until RCPT_TO stage but, anyway, all the checkings will made step by step in their original order. (in that order: client, helo, sender, recipient restrictions). Right?
Since permit action in access tables (action OK) doesn't stop checkings for particular email but skips a particular context, i need to insert check_* actions on every stage, at:
Right?
So i end up with following config:
postfix 2.6, smtpd_delay_reject = yes.
Need to implement a total permissive whitelist for 'big bosses' by ip-adresses, email adresses, email domains.
So i need to use both check_client_access (for IPs whitelistings) and check_sender_access (for emails and domains whitelistings).
Or can i use IP adresses in check_sender_access ?
smtpd_delay_reject delays all checking until RCPT_TO stage but, anyway, all the checkings will made step by step in their original order. (in that order: client, helo, sender, recipient restrictions). Right?
Since permit action in access tables (action OK) doesn't stop checkings for particular email but skips a particular context, i need to insert check_* actions on every stage, at:
smtpd_client_restrictions
smtpd_helo_restrictionssmtpd_sender_restrictionssmtpd_recipient_restrictionsRight?
So i end up with following config:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ip_wl ...
smtpd_helo_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...smtpd_sender_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/ip_wl check_sender_access hash:/etc/postfix/email_wl ...
Am i right ?
1. Do i need (will it work) to insers
PS: Whats the difference between permit_mynetworks and check_client_access if i need to permit client's IP ?
1. Do i need (will it work) to insers
smtpd_client_restrictions
block ?
2.Is check_sender_access works under smtpd_helo_restrictions ?
3. I know about a danger to allow an open relay for whitelisted
clients, but they are 'big bosses' as I said an we can't loose
their emails. So what if i start each stage with '
reject_unauth_destination' command ?
PS: Whats the difference between permit_mynetworks and check_client_access if i need to permit client's IP ?
Noel Jones
Jun 11, 2016, 1:32:08 PM6/11/16
to
On 6/11/2016 2:56 AM, Вадим Бажов wrote:
> Hi all.
> postfix 2.6, smtpd_delay_reject = yes.
>
> Need to implement a total permissive whitelist for 'big bosses' by
> *ip-adresses, email adresses, email domains*.
> Hi all.
> postfix 2.6, smtpd_delay_reject = yes.
>
> Need to implement a total permissive whitelist for 'big bosses' by
> So i need to use both check_client_access (for IPs whitelistings)
> and check_sender_access (for emails and domains whitelistings).
check_client_access checks either the IP address or the verified
> and check_sender_access (for emails and domains whitelistings).
client hostname. This is very hard to spoof and is the preferred
way to whitelist.
check_sender_access checks the envelope sender email address, or
domain part of the envelope sender address. This is very easy to
spoof; avoid sender based whitelists unless you have no other way to
whitelist some particular message.
> Or can i use IP adresses in check_sender_access ?
>
> smtpd_delay_reject delays all checking until RCPT_TO stage but,
> anyway, all the checkings will made step by step in their original
> order. (in that order: client, helo, sender, recipient
> restrictions). Right?
> Since permit action in access tables (action OK) doesn't stop
> checkings for particular email but skips a particular context, i
> need to insert check_* actions on every stage, at:
> |smtpd_client_restrictions |
> |smtpd_helo_restrictions|
> |smtpd_sender_restrictions|
> |smtpd_recipient_restrictions|
>
> Right?
folks prefer to put all their restrictions in
smtpd_recipient_restrictions specifically to make whitelisting easier.
>
> So i end up with following config:
>
> |smtpd_client_restrictions = check_client_access
> hash:/etc/postfix/ip_wl ... |
> |smtpd_helo_restrictions = |||check_client_access
> hash:/etc/postfix/ip_wl |check_sender_access
> hash:/etc/postfix/email_wl ...|
> |smtpd_sender_restrictions = |||check_client_access
> hash:/etc/postfix/ip_wl |check_sender_access
> hash:/etc/postfix/email_wl ...|
> |smtpd_recipient_restrictions = |||check_client_access
> hash:/etc/postfix/ip_wl |check_sender_access
> hash:/etc/postfix/email_wl ... |
> Am i right ?
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
... whitelists here ...
... restrictions here ...
> 1. Do i need (will it work) to insers |||check_sender_access at
> ||smtpd_client_restrictions block ?
> 2.Is check_sender_access works under smtpd_helo_restrictions ?
be used in any section.
> 3. I know about a danger to allow an open relay for whitelisted
> clients, but they are 'big bosses' as I said an we can't loose their
> emails. So what if i start each stage with
> '||reject_unauth_destination' command ?
before any whitelists. This is safe for all legit mail since it
will not affect any mail addressed to you.
> |
> PS: Whats the difference between permit_mynetworks and
> check_client_access if i need to permit client's IP ?
through your server. permit_mynetworks must not be used for
whitelisting clients not authorized to relay.
Also, clients listed in mynetworks are subjected to different header
rewriting rules. This may cause confusion or break digital
signatures on non-local mail.
-- Noel Jones
Вадим Бажов
Jun 14, 2016, 10:23:07 AM6/14/16
to
Still didn't get any feedback.
Any thoughts about complete white list ?
Any thoughts about complete white list ?
11.06.2016 12:56, Вадим Бажов пишет:
Hi all.
postfix 2.6, smtpd_delay_reject = yes.
Need to implement a total permissive whitelist for 'big bosses' by ip-adresses, email adresses, email domains.
So i need to use both check_client_access (for IPs whitelistings) and check_sender_access (for emails and domains whitelistings).
Or can i use IP adresses in check_sender_access ?
smtpd_delay_reject delays all checking until RCPT_TO stage but, anyway, all the checkings will made step by step in their original order. (in that order: client, helo, sender, recipient restrictions). Right?
Since permit action in access tables (action OK) doesn't stop checkings for particular email but skips a particular context, i need to insert check_* actions on every stage, at:
smtpd_client_restrictionssmtpd_helo_restrictionssmtpd_sender_restrictionssmtpd_recipient_restrictions
Right?
So i end up with following config:
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ip_wl ...smtpd_helo_restrictions =check_client_access hash:/etc/postfix/ip_wlcheck_sender_access hash:/etc/postfix/email_wl ...smtpd_sender_restrictions =check_client_access hash:/etc/postfix/ip_wlcheck_sender_access hash:/etc/postfix/email_wl ...
Am i right ?smtpd_recipient_restrictions =check_client_access hash:/etc/postfix/ip_wlcheck_sender_access hash:/etc/postfix/email_wl ...
1. Do i need (will it work) to insers smtpd_client_restrictions block ?
2.Is check_sender_access works under smtpd_helo_restrictions ?
3. I know about a danger to allow an open relay for whitelisted
clients, but they are 'big bosses' as I said an we can't loose
their emails. So what if i start each stage with 'reject_unauth_destination' command ?
PS: Whats the difference between permit_mynetworks and check_client_access if i need to permit client's IP ?
Wietse Venema
Jun 14, 2016, 11:22:46 AM6/14/16
to
> Still didn't get any feedback.
> Any thoughts about complete white list ?
Noel Jones posted a follow-up to your question. But, if you did not
> Any thoughts about complete white list ?
receive that, then you won't receive this reply, either.
Wietse
Noel Jones
Jun 14, 2016, 11:23:38 AM6/14/16
to
On 6/14/2016 9:22 AM, Вадим Бажов wrote:
> Still didn't get any feedback.
> Any thoughts about complete white list ?
This was answered.
> Still didn't get any feedback.
> Any thoughts about complete white list ?
http://comments.gmane.org/gmane.mail.postfix.user/255986
Вадим Бажов
Jun 14, 2016, 1:13:08 PM6/14/16
to
Didn't receive your answer due to our mailserver maintenance
schedule ( fail ! ;) )
Thank you for explanations.
Have some questions though.
You say:
Thank you for explanations.
Have some questions though.
You say:
check_client_access checks either the IP address or the verified client hostname. This is very hard to spoof and is the preferred way to whitelist. check_sender_access checks the envelope sender email address, or domain part of the envelope sender address. This is very easy to spoof; avoid sender based whitelists unless you have no other way to whitelist some particular message.
verified client hostname - what makes hostname verified ? Is
it getting checked by check_client_access based on ip-address
resolving or something ?
This is very easy to spoof : I always thought that sender address from the envelope headers is getting checked against it's domain part by resolving it and compairing with HELO or ip adress that is already known by that time.
All other questions seems to be clear for me by now.
This is very easy to spoof : I always thought that sender address from the envelope headers is getting checked against it's domain part by resolving it and compairing with HELO or ip adress that is already known by that time.
All other questions seems to be clear for me by now.
14.06.2016 20:23, Noel Jones пишет:
Noel Jones
Jun 14, 2016, 1:57:22 PM6/14/16
to
On 6/14/2016 12:12 PM, Вадим Бажов wrote:
> Didn't receive your answer due to our mailserver maintenance
> schedule ( fail ! ;) )
> Thank you for explanations.
> Have some questions though.
> You say:
>
>> check_client_access checks either the IP address or the verified
>> client hostname. This is very hard to spoof and is the preferred
>> way to whitelist.
>>
>> check_sender_access checks the envelope sender email address, or
>> domain part of the envelope sender address. This is very easy to
>> spoof; avoid sender based whitelists unless you have no other way to
>> whitelist some particular message.
>>
> /verified client hostname/ - what makes hostname verified ? Is it
> Didn't receive your answer due to our mailserver maintenance
> schedule ( fail ! ;) )
> Thank you for explanations.
> Have some questions though.
> You say:
>
>> check_client_access checks either the IP address or the verified
>> client hostname. This is very hard to spoof and is the preferred
>> way to whitelist.
>>
>> check_sender_access checks the envelope sender email address, or
>> domain part of the envelope sender address. This is very easy to
>> spoof; avoid sender based whitelists unless you have no other way to
>> whitelist some particular message.
>>
> getting checked by check_client_access based on ip-address resolving
> or something ?
Postfix confirms all hostnames with forward and reverse name
> or something ?
lookups. A host that fails any step of the verification is labeled
"unknown". This is difficult to spoof.
https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
>
> /This is very easy to spoof : /I always thought that sender address
> from the envelope headers is getting checked against it's domain
> part by resolving it and compairing with HELO or ip adress that is
> already known by that time.
The sender address is trivial to spoof. There is no requirement for
> part by resolving it and compairing with HELO or ip adress that is
> already known by that time.
the sender address to have any relation to the HELO/IP/hostname, and
in practice this is a very poor spam indicator -- only poorly
written spam filters even bother checking.
SPF is the method to combat sender spoofing, but is not available
for check_sender_access map lookups. If you must whitelist by
sender, you are strongly encouraged to use a filter, policy service,
or milter that checks SPF and rejects spoofed mail.
-- Noel Jones
0 new messages