Hi,
>> It's taken me a few days to process what you've written, but I think
>> I'm now on the right track. Just to be sure I understand, I'd like to
>> list my smtpd_*_restrictions and ask if someone could review them.
>>
>> I have a list of domain names and IPs that I need to ensure are not
>> rejected. Given the restrictions below, if I add the IPs to a
>> check_client_access map in smtpd_client_restrictions, and the
>> hosts/domains to a check_sender_access map in
>> smtpd_sender_restrictions, can I expect them to bypass any further
>> checks?
>
> No.
>
> You cannot bypass restrictions in smtpd_recipient_restrictions by permitting
> a client hostname or IP in a smtpd_client_restrictions rule or by permitting
> a sender address or domain in smtpd_sender_restrictions.
>
> You cannot bypass restrictions in smtpd_sender_restrictions by permitting a
> client hostname or IP in a smtpd_client_restrictions
>
> The 7 Postfix restriction lists that apply to normal message transport are
> run in this order:
>
> At RCPT: (unless smtpd_delay_reject is set to "no")
> smtpd_client_restrictions
> smtpd_helo_restrictions
> smtpd_sender_restrictions
> smtpd_relay_restrictions (Postfix 2.10 and later)
> smtpd_recipient_restrictions
>
> At DATA:
> smtpd_data_restrictions
>
> At End-of-DATA:
> smtpd_end_of_data_restrictions
>
> REJECT and DEFER results from any restriction in a list cause Postfix to
> skip all later restrictions in that restriction list AND all later
> restriction lists.
>
> PERMIT or OK results only cause Postfix to skip restrictions that occur
> later in the same restriction list.
>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient,
>> reject_non_fqdn_sender,
>> reject_unlisted_recipient,
>> reject_unknown_recipient_domain,
>> permit_mynetworks,
>> reject_unauth_destination,
>> reject_unknown_sender_domain,
>> reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
>> reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
>> reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
>> check_helo_access pcre:/etc/postfix/helo_checks.pcre,
>> check_helo_access hash:/etc/postfix/helo_checks,
>> reject_non_fqdn_helo_hostname,
>> reject_invalid_helo_hostname,
>> check_policy_service inet:127.0.0.1:2501,
>> check_recipient_access pcre:/etc/postfix/relay_recips_access,
>> permit
>
>
> No "OK" results from your other restriction lists affect how the reject_*
> rules in this list operate. Specifically, the only exemption from
> "reject_unknown_sender_domain" at RCPT time will be "permit_mynetworks"
Okay, that's more clear. I think I understood that, but not sure why I
didn't apply it also to smtpd_recipient_restrictions.
Since there aren't really any restrictions in
smtpd_sender_restrictions other than a bad NS, I now believe it's not
necessary to have any check_sender_access maps there to OK a sender,
correct?
As I mentioned, I'm trying to make sure that the IPs of a handful of
mail servers, and a handful of domains which they host, are not
rejected. I don't believe any of them will have a problem with DNS,
but it's possible some could be blacklisted on an RBL.
Now it sounds like I should add a check_client_access and
check_sender_access map to my smtpd_recipient_restrictions after
permit_mynetworks:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_sender_domain,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access
I've also reordered reject_unauth_destination and
reject_unknown_sender_domain to above permit_mynetworks, as no one
should be routing mail to unauthorized destinations or domains.
>> Is it
>> possible to append text after the "OK" the way it's okay to do it with
>> the 554? If not, is there another way to do this? I didn't see a way
>> in the access(5) man page.
>
> No. How would want Postfix to use such text?
> The text after a "554" action (or other non-OK action) in a Postfix access
> map is used in the SMTP reply to the client which constitutes the message
> rejection. That reply ultimately should be sent back to the original sender
I should have been more clear. I was hoping to somehow log an entry
each time one of those IPs is received, in a similar way as the INFO
or PREPEND directive can be used so we can better track these IPs.
Of course I could search for the IP in the logs, but I thought it
would be easier to search for them.
Thanks so much.
Alex
