Re: problems follow with certain rules

Tue, 02 Apr 2019 12:12:43 -0700 

Great.

Change this:

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
     defer_unauth_destination permit_inet_interfaces check_client_access
hash:/etc/postfix/access reject_unknown_reverse_client_hostname 

to this:
smtpd_relay_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination


Did you remember to postmap your access map?
postmap hash:/etc/postfix/access





On 4/2/2019 1:49 PM, Francesc Peñalvez wrote:

the problem that I have already described

I have several rules against spamers and one of them is to reject 
the ips that are not resolved.
So when the resolution of the dns fails those ips are rejected for 
not having an inverse. In the access I have the ips that interest me 
that these locks pass, but even so, as you can see in the connection 
log are rejected by not solve the ip.
Those ips really do have an inverse but for some fault it does not 
resolve at the moment of connecting with my postfix.

The two postconf are from the server with which I have this problem.

In other emails I was told that the rule of the inverse resolution 
reject_unknown_reverse_client_hostname was earlier in the line than 
the access, so I changed the position but still I still have this 
failure.
The example of SMTP that I have set, although it does not match the 
ip, as I have put in another email is an ip of the same company, in 
this case a digital newspaper that uses several ips to send emails.



the problem I do not have it in the shipment if not in the reception 
of mails.
I am sorry not to explain myself, I hope that I understand what I 
want to express


El 02/04/2019 a las 20:08, Noel Jones escribió:

On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:

the problem is with the directive 
reject_unknown_reverse_client_hostname when there is a failure in 
the resolution of the ip blocks the connection with this ip, to 
avoid adding the access file the ip as indicated in the first 
mail, but still blocking that ip by not resolving. activate the 
debug on that ip in case I saw the reason and that's what I get 
between many data when that ip connects



I don't quite understand what you're trying to say above, you 
don't show logs indicating the problem you're trying to solve, and 
your example SMTP session doesn't seem to match your posted 
config, so I'll give some general pointers.



In your posted config, no locally delivered mail gets past the 
"permit_auth_destination" statements, bypassing most of your 
restrictions.



Mail must be permitted (or not rejected) in every 
smtpd_*_restrictions section to be accepted.



It doesn't make much sense to use both 
reject_unknown_client_hostname and 
reject_unknown_reverse_client_hostname, especially with 
reject_unknown_reverse_client_hostname listed second.


Looks like you have a lot of duplicated statements.


In master.cf for your submission and smtps listeners, you should 
disable all those extra restrictions, eg.

  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=



  -- Noel Jones





  Out: 250-ETRN
  Out: 250-AUTH PLAIN LOGIN
  Out: 250-AUTH=PLAIN LOGIN
  Out: 250-ENHANCEDSTATUSCODES
  Out: 250-8BITMIME
  Out: 250 DSN
  In:  MAIL From:<webmas...@elperiodico.com>  SIZE=118853
  Out: 250 2.1.0 Ok
  In:  RCPT To:<naz...@almogavers.net>
  Out: 450 4.7.25 Client host rejected: cannot find your hostname,
      [217.124.241.125]
  In:  DATA
  Out: 554 5.5.1 Error: no valid recipients
  In:  RSET
  Out: 250 2.0.0 Ok
  In:  QUIT
  Out: 221 2.0.0 Bye

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = yes
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d 
$LOGNAME

mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
masquerade_domains = almogavers.net
message_size_limit = 102400000
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6

mydestination = ns.almogavers.net, localhost.almogavers.net, 
localhost,
     canalonanismo.org, canalonanismo.es, almogavers.net, 
web.almogavers.net,

     active.almogavers.net, 5.39.93.184, 37.187.18.41
myhostname = almogavers.net

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 
192.168.1.2

     almogavers.net 192.168.1.0/24
mynetworks_style = class
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:3277

notify_classes = bounce, 2bounce, delay, policy, protocol, 
resource, software
postscreen_access_list = permit_mynetworks 
cidr:/etc/postfix/trusted_ips.cidr

postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce

postscreen_dnsbl_reply_map = 
texthash:/etc/postfix/postscreen_dnsbl_reply

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3

     b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net 
swl.spamhaus.org*-4

postscreen_dnsbl_threshold = 1
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/bcc

sender_dependent_default_transport_maps = 
hash:/etc/postfix/dependent

sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_dns_support_level = enabled
smtp_host_lookup = dns
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = medium
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane

smtp_tls_session_cache_database = 
btree:${data_directory}/smtp_scache

smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks permit_inet_interfaces

     permit_tls_all_clientcerts permit_sasl_authenticated 
permit_auth_destination

     check_client_access hash:/etc/postfix/access
smtpd_hard_error_limit = 20
smtpd_helo_restrictions = permit_mynetworks, check_client_access
     hash:/etc/postfix/access, check_client_access

     cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname, 
permit

smtpd_milters = inet:localhost:3277

smtpd_recipient_restrictions = permit_mynetworks 
permit_sasl_authenticated
     check_client_access hash:/etc/postfix/access 
permit_auth_destination

     reject_unauth_destination reject_invalid_hostname
     reject_unknown_recipient_domain reject_unknown_client_hostname

     reject_unknown_reverse_client_hostname 
reject_unverified_recipient

     check_policy_service inet:127.0.0.1:10023

smtpd_relay_restrictions = permit_mynetworks 
permit_sasl_authenticated
     defer_unauth_destination permit_inet_interfaces 
check_client_access

     hash:/etc/postfix/access reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = permit_mynetworks check_client_access

     hash:/etc/postfix/access permit_auth_destination 
permit_sasl_authenticated
     check_sender_access inline:{ { almogavers.net = REJECT local 
sender from

     unauthorized client } }
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

smtpd_tls_session_cache_database = 
btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

smtp       inet  n       -       y       -       -       smtpd
     -o content_filter=spamassassin
     -o smtpd_sasl_auth_enable=yes
     receive_override_options=no_header_body_checks
smtp       inet  n       -       y       -       1 postscreen
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0 tlsproxy
smtpd      pass  -       -       y       -       -       smtpd
submission inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/submission
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
     -o content_filter=spamassassin
smtps      inet  n       -       y       -       -       smtpd
     -o syslog_name=postfix/smtps
     -o smtpd_tls_wrappermode=yes
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING
pickup     fifo  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       - trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       - proxymap
proxywrite unix  -       -       n       -       1 proxymap
smtp       unix  -       -       y       -       -       smtp
     -o smtp_helo_timeout=5
     -o smtp_connect_timeout=5
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache

maildrop   unix  -       n       n       -       -       pipe 
flags=DRhu

     user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp       unix  -       n       n       -       -       pipe 
flags=Fqhu
     user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail     unix  -       n       n       -       -       pipe 
flags=F user=ftn

     argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp      unix  -       n       n       -       -       pipe 
flags=Fq.
     user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender 
$recipient
scalemail-backend unix - n       n       -       2       pipe 
flags=R
     user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store 
${nexthop}

     ${user} ${extension}

mailman    unix  -       n       n       -       -       pipe 
flags=FR
     user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py 
${nexthop}

     ${user}

policyd-spf unix -       n       n       -       0       spawn 
user=policyd-spf

     argv=/usr/bin/policyd-spf
smtp-amavis unix -       -       n       -       2       smtp
     -o smtp_data_done_timeout=1200
     -o disable_dns_lookups=yes
127.0.0.1:10025 inet n   -       n       -       -       smtpd
     -o content_filter=
     -o disable_dns_lookups=yes
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o smtpd_restriction_classes=
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o strict_rfc821_envelopes=yes
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtp_data_done_timeout=1200
     -o disable_dns_lookups=yes

spamassassin unix -      n       n       -       -       pipe 
user=debian-spamd
     argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f 
${sender} ${recipient}

dane       unix  -       -       n       -       -       smtp
     -o smtp_dns_support_level=dnssec
     -o smtp_tls_security_level=dane
postlog    unix-dgram n  -       n       -       1 postlogd

El 02/04/2019 a las 18:38, Bill Cole escribió:

On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:


following the instructions given to me place the access in 
front of the rule that is not supported ips unresolved, and as 
I still have the same problems I added a debug to that ip that 
interests me and among other things in this debug I find this:
16:43:05 ns postfix / smtpd [28258]: generic_checks: name = 
check_client_access
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: 
name unknown addr 213.4.61.170
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: 
unknown
Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / 
etc / postfix / access: unknown: not found
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access: 
213.4.61.170

my access file contains:
213.4.61.170 OK

Where do I have the error?



It is impossible for us to tell, because you have not provided 
enough information.
The solution may be as simple as using 'postmap' to rebuild the 
operational form of the access map (e.g. /etc/postfix/access.db) 
or it may be something more complex.



See http://www.postfix.org/DEBUG_README.html#mail for how to 
effectively report problems here.


Most importantly:

1. Turn off debug logging.
2. Provide the output of 'postconf -nf' and 'postconf -Mf'

3. Provide log lines relevant to a single SMTP session with the 
problem.































					Reply via email to