Re: How to white list
On 23/07/18 21:17, dur...@mgtsciences.com wrote: > I have whitelisted the ip in postscreen_access.cidr. I can see the > 'whitelisted' for postscreen in log. > But it does not get past smtpd. > > I do not want to remove reject_invalid_helo_hostname as this really opens > up more spam. So how > do I white list the ip for smtpd? > > Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established > from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA > (256/256 bits) > Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from > unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your > reverse hostname, [65.100.117.244]; from= > to= proto=ESMTP helo= > Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from > unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 > quit=1 commands=6/8 > > Thank you, > > Durwin > > === main.cf === [snip] > shlib_directory = /usr/lib64/postfix > smtp_helo_name = mail.mycompany.com > smtpd_authorized_xclient_hosts = 172.23.93.0/24 > smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version) > smtpd_client_restrictions = reject_unknown_reverse_client_hostname THIS is the line which is rejecting the email; you could try smtpd_client_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/postscreen_access.cidr reject_unknown_reverse_client_hostname anything white-listed by postscreen will bypass client restrictions also > smtpd_delay_reject = yes > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks check_helo_access > hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit Two useful (and safe) additions to your smtpd_helo_restrictions are: reject_invalid_helo_hostname, and reject_non_fqdn_helo_hostname these force the HELO argument to be RFC compliant Hope this helps Allen C
Re: How to white list
On 23 Jul 2018, at 16:17 (-0400), dur...@mgtsciences.com wrote: Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [65.100.117.244]; from= [...] smtpd_client_restrictions = reject_unknown_reverse_client_hostname Read the error message carefully. This is NOT an issue with the HELO name. Postfix is failing to resolve 65.100.117.244 to a name. That may be transient or it may be a configuration issue, such as attempting to run smtpd inside a chroot jail that lacks the needed devices, an overly restrictive packet filter (or external firewall,) or an extra security layer (SELinux, AppArmor, etc.) that prevents DNS resolution. Resolution is fine from here: $ dig +nocmd +nocomments +nostats +noquestion -x 65.100.117.244 244.117.100.65.in-addr.arpa. 86266 IN PTR mail.slfcu.org. That name even resolves back properly to the IP: $ dig +nocmd +nocomments +nostats +noquestion mail.slfcu.org mail.slfcu.org. 6149IN A 65.100.117.244 -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steadier Work: https://linkedin.com/in/billcole
Re: How to white list
I have. smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname # reject_unknown_helo_hostname permit And this file, helo_access has. localhost.localdomain PERMIT 65.100.117.244 PERMIT 60.189.57.253 REJECT > From: Durwin De La Rue/Mgtsciences/US > To: Postfix users > Date: 07/23/2018 02:17 PM > Subject: How to white list > > I have whitelisted the ip in postscreen_access.cidr. I can see the > 'whitelisted' for postscreen in log. > But it does not get past smtpd. > > I do not want to remove reject_invalid_helo_hostname as this really > opens up more spam. So how > do I white list the ip for smtpd? > > Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection > established from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH- > AES256-SHA (256/256 bits) > Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from > unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find > your reverse hostname, [65.100.117.244]; from= > to= proto=ESMTP helo= > Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from unknown[65. > 100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 > quit=1 commands=6/8 > > Thank you, > > Durwin > > === main.cf === > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/postfix/aliases > command_directory = /usr/sbin > compatibility_level = 2 > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 1 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > ddd $daemon_directory/$process_name $process_id & sleep 5 > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > inet_interfaces = all > inet_protocols = all > local_recipient_maps = $alias_maps > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > meta_directory = /etc/postfix > mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost > mydomain = mycompany.com > myhostname = postfix.mycompany.com > mynetworks = 172.23.93.0/24 > mynetworks_style = subnet > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases.postfix > postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/ > postscreen_access.cidr > postscreen_blacklist_action = drop > postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 > b.barracudacentral.org*2 > postscreen_dnsbl_threshold = 2 > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix/README_FILES > relay_domains = $mydomain > relay_transport = relay:$mydomain > sample_directory = /usr/share/doc/postfix/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > shlib_directory = /usr/lib64/postfix > smtp_helo_name = mail.mycompany.com > smtpd_authorized_xclient_hosts = 172.23.93.0/24 > smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version) > smtpd_client_restrictions = reject_unknown_reverse_client_hostname > smtpd_delay_reject = yes > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/ > etc/postfix/helo_access reject_invalid_helo_hostname permit > smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination > smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination > smtpd_tls_CAfile = /etc/pki/tls/certs/mycompany-chain3.crt > smtpd_tls_cert_file = /etc/pki/tls/certs/mycompany3.crt > smtpd_tls_key_file = /etc/pki/tls/private/mycompany3.key > smtpd_tls_loglevel = 3 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > virtual_alias_domains = hash:/etc/postfix/virtual_domains > virtual_alias_maps = hash:/etc/postfix/virtual > === END main.cf === > > > > This email message and any attachments are for the sole use of the > intended recipient(s) and may contain proprietary and/or > confidential information which may be privileged or otherwise > protected from disclosure. Any unauthorized review, use, disclosure > or distribution is prohibited. If you are not the intended recipient > (s), please contact the sender by reply email and destroy the > original message and any copies of the message as well as any > attachments to the original message. This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
How to white list
I have whitelisted the ip in postscreen_access.cidr. I can see the 'whitelisted' for postscreen in log. But it does not get past smtpd. I do not want to remove reject_invalid_helo_hostname as this really opens up more spam. So how do I white list the ip for smtpd? Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits) Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [65.100.117.244]; from= to= proto=ESMTP helo= Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8 Thank you, Durwin === main.cf === alias_database = hash:/etc/aliases alias_maps = hash:/etc/postfix/aliases command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $alias_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost mydomain = mycompany.com myhostname = postfix.mycompany.com mynetworks = 172.23.93.0/24 mynetworks_style = subnet myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*2 postscreen_dnsbl_threshold = 2 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES relay_domains = $mydomain relay_transport = relay:$mydomain sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_helo_name = mail.mycompany.com smtpd_authorized_xclient_hosts = 172.23.93.0/24 smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version) smtpd_client_restrictions = reject_unknown_reverse_client_hostname smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination smtpd_tls_CAfile = /etc/pki/tls/certs/mycompany-chain3.crt smtpd_tls_cert_file = /etc/pki/tls/certs/mycompany3.crt smtpd_tls_key_file = /etc/pki/tls/private/mycompany3.key smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual === END main.cf === This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Re: Commenting multi line option
Thank you both. owner-postfix-us...@postfix.org wrote on 07/23/2018 09:29:58 AM: > From: Dominic Raferd > To: Postfix users > Date: 07/23/2018 09:31 AM > Subject: Re: Commenting multi line option > Sent by: owner-postfix-us...@postfix.org > > On Mon, 23 Jul 2018 at 16:02, wrote: > I would like to know if comments may be used in this fashion. In > the example below, will the last line 'permit' be seen as part of > the 'smtpd_helo_restrictions' option? > > smtpd_helo_restrictions = > permit_mynetworks > # check_helo_access hash:/etc/postfix/helo_access > # reject_invalid_helo_hostname > # reject_unknown_helo_hostname > permit > > Yes, and even blank (empty) lines are ok within restriction lists, > as long as the next non-blank non-comment line is also > indented. Comment lines do not have to be indented within lists > (although clarity may be lost by failing to do so). But you should > not append comments to an active line. > > smtpd_helo_restrictions = > permit_mynetworks # this comment may cause problems > check_helo_access hash:/etc/postfix/helo_access > reject_invalid_helo_hostname > #... this comment is fine though... > permit > > BTW, the final 'permit' is not needed as it is implicit (but I tend > to put it in anyway as a reminder to self). This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Re: Commenting multi line option
On Mon, 23 Jul 2018 at 16:02, wrote: > I would like to know if comments may be used in this fashion. In the > example below, will the last line 'permit' be seen as part of the > 'smtpd_helo_restrictions' option? > > > smtpd_helo_restrictions = > permit_mynetworks > # > > check_helo_access hash:/etc/postfix/helo_access > # reject_invalid_helo_hostname > # reject_unknown_helo_hostname > permit > Yes, and even blank (empty) lines are ok within restriction lists, as long as the next non-blank non-comment line is also indented. Comment lines do not have to be indented within lists (although clarity may be lost by failing to do so). But you should not append comments to an active line. smtpd_helo_restrictions = permit_mynetworks # this comment may cause problems check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname #... this comment is fine though... permit BTW, the final 'permit' is not needed as it is implicit (but I tend to put it in anyway as a reminder to self).
Re: Commenting multi line option
On July 23, 2018 5:00:33 PM GMT+02:00, dur...@mgtsciences.com wrote: >I would like to know if comments may be used in this fashion. In the >example below, will the last line 'permit' be seen as part of the >'smtpd_helo_restrictions' option? > >smtpd_helo_restrictions = >permit_mynetworks ># check_helo_access hash:/etc/postfix/helo_access ># reject_invalid_helo_hostname ># reject_unknown_helo_hostname >permit > Yes, permit will be seen as part of smtpd_helo_restrictions in this example. For an explanation of the main.cf file format see http://www.postfix.org/postconf.5.HTML -- Christian Kivalo
Commenting multi line option
I would like to know if comments may be used in this fashion. In the example below, will the last line 'permit' be seen as part of the 'smtpd_helo_restrictions' option? smtpd_helo_restrictions = permit_mynetworks # check_helo_access hash:/etc/postfix/helo_access # reject_invalid_helo_hostname # reject_unknown_helo_hostname permit This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Re: SPF + outside backup MX relay = redelivery failures: Help requested
On 07/21/18 21:25, Scott Kitterman wrote: > Only check SPF at the external border of your email architecture. The relay > from your backup MX is an internal relay. SPF checks from that host should > be > skipped. If you look at the documentation provided with pypolicyd-spf, > particularly man (5) policyd-spf.conf, you'll see there are multiple options > available for doing this. As an example (all see > https://git.launchpad.net/~kitterman/pypolicyd-spf/tree/policyd-spf.conf.commented > ) this might work given the data you provided: > > HELO_Whitelist = fritter.limelight.ca Have now retested that method and it still does not work. I was sure that ought to. There is clearly something here that I am failing to understand. What other means are there by which I can tell Postfix that I trust my MX relay to relay mail to me? I have to be missing something here. -- Phil Stracchino Babylon Communications ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958