On 27 Dec 2015, at 20:22, Alex wrote:
[...]
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
permit
No "OK" results from your other restriction lists affect how the
reject_*
rules in this list operate. Specifically, the only exemption from
"reject_unknown_sender_domain" at RCPT time will be
"permit_mynetworks"
Okay, that's more clear. I think I understood that, but not sure why I
didn't apply it also to smtpd_recipient_restrictions.
I'm unclear on what you're referring too as "it"... Let me try again.
As I understand your problem, there is mail which you must accept that
uses a sender domain name which does not resolve. However, you generally
want to use reject_unknown_sender_domain, which is a good thing.
The ideal way to address that problem is a check_sender_access map with
your exception in the smtpd_sender_restrictions list, before
reject_unknown_sender_domain ALSO in the smtpd_sender_restrictions list.
You currently have reject_unknown_sender_domain in
smtpd_recipient_restrictions, so the bogus-domain mail is being
rejected. If you were to put your permissive check_sender_access map in
the smtpd_recipient_restrictions list before
reject_unknown_sender_domain, all of the exceptions in the map would
bypass all restrictions following it in smtpd_recipient_restrictions.
Because a sender address is trivial to forge, that would open up a relay
and/or local delivery hole as described in
http://www.postfix.org/SMTPD_ACCESS_README.html
Since there aren't really any restrictions in
smtpd_sender_restrictions other than a bad NS, I now believe it's not
necessary to have any check_sender_access maps there to OK a sender,
correct?
Correct as stated. HOWEVER, if you have sender-based blanket
restrictions like reject_unknown_sender_domain in
smtpd_recipient_restrictions and need to make exceptions to them,
ordering of rules in smtpd_recipient_restrictions becomes tricky if you
want to avoid the exceptions turning into an obscure way to get around
what should be unrelated restrictions. Sender addresses can be set to
anything by anyone from anywhere, so using them as a basis to get past
any restriction other than ones purely about sender addresses is unsafe.
As I mentioned, I'm trying to make sure that the IPs of a handful of
mail servers, and a handful of domains which they host, are not
rejected. I don't believe any of them will have a problem with DNS,
That belief seems to be in error. Your first message in this thread
quoted a munged log line that showed a failure due to a domain not being
in DNS.
but it's possible some could be blacklisted on an RBL.
The easiest fix for that is to add the trusted IPs to mynetworks. If you
trust those mail servers to send you mail with a bogus sender domain,
you trust those mail servers entirely.
Now it sounds like I should add a check_client_access and
check_sender_access map to my smtpd_recipient_restrictions after
permit_mynetworks:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unknown_sender_domain,
permit_mynetworks,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access
I've also reordered reject_unauth_destination and
reject_unknown_sender_domain to above permit_mynetworks, as no one
should be routing mail to unauthorized destinations or domains.
This is a bit exasperating....
Do you not see reject_unknown_sender_domain in that list? Are you
refusing to accept that "Sender address rejected: Domain not found" in
your log meant what it said? This is the 3rd (& last) message where I've
pointed at reject_unknown_sender_domain in smtpd_sender_restrictions
being key to your originally described problem.
Putting reject_unknown_sender_domain in smtpd_sender_restrictions is
more absolutely effective than burying it 1/3 of the way into
smtpd_recipient_restrictions, with the added benefit that you can put
your exceptions to reject_unknown_sender_domain in a check_sender_access
map right before it in smtpd_sender_restrictions and have no concern
about your special snowflake sender domains becoming a free pass for
spammers to hit local users or to relay through you.
