Re: Sender access issues
Hi,
A few days ago I was having an issue with not being able to use
sender_access to permit mail with non-existent hostnames to be delivered
that would normally be rejected:
Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from
smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local:
Sender address rejected: Domain not found; from=myuser@lanyonrs.local
to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com
Viktor had helped me get it working, or so I thought, but it was still
rejecting mail, and I don't entirely know why. I've since added an
additional check_sender_access to the recipient restrictions, and I
believe it's working again, but I didn't want to do it that way, and I'm
not even sure that was the actual fix, as I was working under pressure.
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/sender_checks,
--- ---
reject_unknown_sender_domain,
...
permit
smtpd_sender_restrictions = reject_unknown_sender_domain
-
I've separated out the smtpd_{client,recipient,sender}_restrictions, and
added the email address with the invalid domain I wish to allow to
sender_access, but it's still being rejected.
I've included my postconf output below, and hoped someone could review
it. I'd like to remove the check_sender_access in the recipient
restrictions to separate it out into the three different classes.
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_mail_to_files = alias,forward
always_bcc = bcc-user
biff = no
body_checks = regexp:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_process_limit = 200
delay_warning_time = 4h
disable_vrfy_command = yes
fallback_relay =
header_checks = pcre:/etc/postfix/header_checks.pcre
pcre:/etc/postfix/header_checks-jimsun.pcre
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 2d
message_size_limit = 2400
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = example.com
myhostname = bwimail01.example.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.123.123.40/29
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.10*8 b.barracudacentral.org*7
dnsbl.sorbs.net=127.0.0.5*6 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6
bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4
mykey.zen.dq.spamhaus.net=127.0.0.3*4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:8}s
postscreen_whitelist_interfaces = static:all 68.123.123.40/29
queue_directory = /var/spool/postfix
rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
readme_directory = /usr/share/doc/postfix/README_FILES
relay_domains = $mydestination, $transport_maps, example.com
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_checks,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_required = yes
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_checks,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
permit
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks,
Re: Sender access issues
On Thu, Feb 26, 2015 at 02:58:16PM -0500, Alex Regan wrote: A few days ago I was having an issue with not being able to use sender_access to permit mail with non-existent hostnames to be delivered that would normally be rejected: Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com That was two days ago, who knows how it relates to your current configuration. Test by sending from the same address via a direct connection to your MTA and report results that match the exact configuration you're reporting. smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain, ... Why is the sender logic repeated in the recipient restrictions? I am puzzled as to what you make of this configuration? Did you read through it yourself before posting? -- Viktor.
Re: Sender access issues
On Thu, Feb 26, 2015 at 08:53:43PM -0500, Alex Regan wrote: What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Nothing in the Postfix documentation promises any special meaning for *@domain keys in indexed tables. If you're going by intuition and guess-work rather than documentation, you won't get far. The lookup keys for access tables are documented under: http://www.postfix.org/access.5.html To match every address in a domain, just use the domain as the lookup key: lanyonrs.local OK An even better solution is to fix the problem on the sender end, and use a real sending address. -- Viktor.
Re: Sender access issues
Hi, What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Nothing in the Postfix documentation promises any special meaning for *@domain keys in indexed tables. If you're going by intuition and guess-work rather than documentation, you won't get far. The lookup keys for access tables are documented under: http://www.postfix.org/access.5.html To match every address in a domain, just use the domain as the lookup key: lanyonrs.local OK An even better solution is to fix the problem on the sender end, and use a real sending address. I even looked at access(5) just before sending this, and have no idea how I missed that. I think I need a break. Yes, certainly using a real address is the proper solution here. Thanks for your continued help with this. Alex
Re: Sender access issues
Hi, Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com That was two days ago, who knows how it relates to your current configuration. Test by sending from the same address via a direct connection to your MTA and report results that match the exact configuration you're reporting. My apologies. I was having a little difficulty explaining what's happening while still keeping the history in tact. I thought it was working after the changes we made the other day, but it started rejecting the messages again in the same way as shown above: Feb 26 19:46:03 mail01 postfix/smtpd[23353]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=doro...@example.com proto=ESMTP helo=Mail.LanyonMail.com What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Maybe that is what I inadvertently changed that caused it to stop working after some point that it was working. smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain, ... Why is the sender logic repeated in the recipient restrictions? I must not have explained very clearly that I had added that when it stopped working because it's what I last had working properly, and it did get it to work again. I'd now like to identify why the method we worked out two days ago stopped working and started to reject mail again. Thanks, Alex
Re: Sender access issues
On Tue, Feb 24, 2015 at 09:02:43PM -0500, Alex Regan wrote: On 02/24/2015 08:34 PM, Viktor Dukhovni wrote: On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, ... permit smtpd_sender_restrictions = reject_unknown_sender_domain - The problem was that you were checking in two places, but added an exception in only one of them. So you're saying that if I didn't have the smtpd_sender_restrictions at all, it would have worked in recipient restrictions, correct? Yes, that is, the exception would have been effective. Maybe. Depends whether any of these need exceptions for hosts in mynetworks (previously in effect when they were part of the recipient restrictions). See http://www.postfix.org/postconf.5.html#smtpd_delay_reject Some people find the all in one approach simpler. With Postfix 2.10 or later (only), you're encouraged to move relay control into smtpd_relay_restrictions. Otherwise depends on your needs and which you find easier to work with. Now that I've separated it out, I believe I'll have an easier time of understanding it and maintaining it. Hmm... Would you describe what my configuration would look like using the new relay restrictions? Are you running Postfix 2.10 or later? http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions http://www.postfix.org/SMTPD_ACCESS_README.html#lists -- Viktor.
Re: Sender access issues
On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote:
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/sender_checks,
--- ---
reject_unknown_sender_domain,
...
permit
smtpd_sender_restrictions = reject_unknown_sender_domain
-
The problem was that you were checking in two places, but added an
exception in only one of them.
These check_{client,sender}_access restrictions have been in the recipient
restrictions section for a long time, without realizing I was doing it
incorrectly.
It is not incorrect, rather a matter of style. However:
Instead, I've configured sender, client, and helo restrictions, as such, and
removed them all from recipient restrictions:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks
reject_unknown_sender_domain
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_checks,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_restrictions =
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks
Does that now seem correct?
Maybe. Depends whether any of these need exceptions for hosts
in mynetworks (previously in effect when they were part of the
recipient restrictions).
See http://www.postfix.org/postconf.5.html#smtpd_delay_reject
Some people find the all in one approach simpler. With Postfix
2.10 or later (only), you're encouraged to move relay control into
smtpd_relay_restrictions. Otherwise depends on your needs and
which you find easier to work with.
Multiple top-level restriction classes make it possible to white
list some checks and not others (OK in one list of rules terminates
only that list of fules). So that's more flexible, but can be more
complex.
I had proposed some time back generalizing the set of top-level
lists beyond just adding smtpd_relay_restrictions, but there's
not been much interest in going beyond the current fixed quartet
of (client, helo, sender, recipient).
--
Viktor.
Re: Sender access issues
Hi,
On 02/24/2015 08:34 PM, Viktor Dukhovni wrote:
On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote:
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/sender_checks,
--- ---
reject_unknown_sender_domain,
...
permit
smtpd_sender_restrictions = reject_unknown_sender_domain
-
The problem was that you were checking in two places, but added an
exception in only one of them.
So you're saying that if I didn't have the smtpd_sender_restrictions at
all, it would have worked in recipient restrictions, correct?
These check_{client,sender}_access restrictions have been in the recipient
restrictions section for a long time, without realizing I was doing it
incorrectly.
It is not incorrect, rather a matter of style. However:
Instead, I've configured sender, client, and helo restrictions, as such, and
removed them all from recipient restrictions:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks
reject_unknown_sender_domain
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_checks,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_restrictions =
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks
Does that now seem correct?
Maybe. Depends whether any of these need exceptions for hosts
in mynetworks (previously in effect when they were part of the
recipient restrictions).
See http://www.postfix.org/postconf.5.html#smtpd_delay_reject
Some people find the all in one approach simpler. With Postfix
2.10 or later (only), you're encouraged to move relay control into
smtpd_relay_restrictions. Otherwise depends on your needs and
which you find easier to work with.
Now that I've separated it out, I believe I'll have an easier time of
understanding it and maintaining it.
Hmm... Would you describe what my configuration would look like using
the new relay restrictions?
Thanks,
Alex
Re: Sender access issues
Hi,
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
permit_mynetworks,
reject_unauth_destination,
check_client_access hash:/etc/postfix/client_checks,
check_sender_access hash:/etc/postfix/sender_checks,
--- ---
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
reject_rhsbl_helo mykey.dbl.dq.spamhaus.net,
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks,
reject_invalid_helo_hostname,
check_policy_service inet:127.0.0.1:2501,
check_recipient_access pcre:/etc/postfix/relay_recips_access,
check_recipient_access pcre:/etc/postfix/property_recip_map,
check_recipient_access pcre:/etc/postfix/recipient_checks,
check_recipient_access pcre:/etc/postfix/relay_recips_ecartis,
permit
smtpd_sender_restrictions = reject_unknown_sender_domain
-
Yes, thanks so much. I just came back to check my mail and follow up
that I just figured it out! It occurred to me when I realized I had
somehow lost track that I was working with recipient restrictions.
These check_{client,sender}_access restrictions have been in the
recipient restrictions section for a long time, without realizing I was
doing it incorrectly.
Instead, I've configured sender, client, and helo restrictions, as such,
and removed them all from recipient restrictions:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_checks
reject_unknown_sender_domain
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client_checks,
check_client_access cidr:/etc/postfix/client_access_blocklist
smtpd_helo_restrictions =
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks
Does that now seem correct?
Thanks,
Alex
Re: Sender access issues
On Tue, Feb 24, 2015 at 04:59:50PM -0500, Alex Regan wrote: Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; - from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net, check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:/etc/postfix/relay_recips_access, check_recipient_access pcre:/etc/postfix/property_recip_map, check_recipient_access pcre:/etc/postfix/recipient_checks, check_recipient_access pcre:/etc/postfix/relay_recips_ecartis, permit smtpd_sender_restrictions = reject_unknown_sender_domain - Notice anything? -- Viktor.
