Re: Sender access issues
Hi, A few days ago I was having an issue with not being able to use sender_access to permit mail with non-existent hostnames to be delivered that would normally be rejected: Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com Viktor had helped me get it working, or so I thought, but it was still rejecting mail, and I don't entirely know why. I've since added an additional check_sender_access to the recipient restrictions, and I believe it's working again, but I didn't want to do it that way, and I'm not even sure that was the actual fix, as I was working under pressure. smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, ... permit smtpd_sender_restrictions = reject_unknown_sender_domain - I've separated out the smtpd_{client,recipient,sender}_restrictions, and added the email address with the invalid domain I wish to allow to sender_access, but it's still being rejected. I've included my postconf output below, and hoped someone could review it. I'd like to remove the check_sender_access in the recipient restrictions to separate it out into the three different classes. alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_mail_to_files = alias,forward always_bcc = bcc-user biff = no body_checks = regexp:/etc/postfix/body_checks.pcre bounce_queue_lifetime = 1d command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix default_process_limit = 200 delay_warning_time = 4h disable_vrfy_command = yes fallback_relay = header_checks = pcre:/etc/postfix/header_checks.pcre pcre:/etc/postfix/header_checks-jimsun.pcre html_directory = no inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/bin/procmail mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maximal_queue_lifetime = 2d message_size_limit = 2400 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain mydomain = example.com myhostname = bwimail01.example.com mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.123.123.40/29 newaliases_path = /usr/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.10*8 b.barracudacentral.org*7 dnsbl.sorbs.net=127.0.0.5*6 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 mykey.zen.dq.spamhaus.net=127.0.0.3*4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 8 postscreen_dnsbl_ttl = 10m postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:8}s postscreen_whitelist_interfaces = static:all 68.123.123.40/29 queue_directory = /var/spool/postfix rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps} readme_directory = /usr/share/doc/postfix/README_FILES relay_domains = $mydestination, $transport_maps, example.com sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_checks, check_client_access cidr:/etc/postfix/client_access_blocklist smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:/etc/postfix/relay_recips_access, permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks,
Re: Sender access issues
On Thu, Feb 26, 2015 at 02:58:16PM -0500, Alex Regan wrote: A few days ago I was having an issue with not being able to use sender_access to permit mail with non-existent hostnames to be delivered that would normally be rejected: Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com That was two days ago, who knows how it relates to your current configuration. Test by sending from the same address via a direct connection to your MTA and report results that match the exact configuration you're reporting. smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain, ... Why is the sender logic repeated in the recipient restrictions? I am puzzled as to what you make of this configuration? Did you read through it yourself before posting? -- Viktor.
Re: Sender access issues
On Thu, Feb 26, 2015 at 08:53:43PM -0500, Alex Regan wrote: What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Nothing in the Postfix documentation promises any special meaning for *@domain keys in indexed tables. If you're going by intuition and guess-work rather than documentation, you won't get far. The lookup keys for access tables are documented under: http://www.postfix.org/access.5.html To match every address in a domain, just use the domain as the lookup key: lanyonrs.local OK An even better solution is to fix the problem on the sender end, and use a real sending address. -- Viktor.
Re: Sender access issues
Hi, What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Nothing in the Postfix documentation promises any special meaning for *@domain keys in indexed tables. If you're going by intuition and guess-work rather than documentation, you won't get far. The lookup keys for access tables are documented under: http://www.postfix.org/access.5.html To match every address in a domain, just use the domain as the lookup key: lanyonrs.local OK An even better solution is to fix the problem on the sender end, and use a real sending address. I even looked at access(5) just before sending this, and have no idea how I missed that. I think I need a break. Yes, certainly using a real address is the proper solution here. Thanks for your continued help with this. Alex
Re: Sender access issues
Hi, Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com That was two days ago, who knows how it relates to your current configuration. Test by sending from the same address via a direct connection to your MTA and report results that match the exact configuration you're reporting. My apologies. I was having a little difficulty explaining what's happening while still keeping the history in tact. I thought it was working after the changes we made the other day, but it started rejecting the messages again in the same way as shown above: Feb 26 19:46:03 mail01 postfix/smtpd[23353]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; from=myuser@lanyonrs.local to=doro...@example.com proto=ESMTP helo=Mail.LanyonMail.com What does the below report (with the exact address from the unmunged log message): $ sender=myuser@lanyonrs.local $ postmap -q $sender hash:/etc/postfix/sender_checks I had *@lanyonrs.local OK in sender_checks and it printed nothing. I added the explicit email address and it returns OK. Maybe that is what I inadvertently changed that caused it to stop working after some point that it was working. smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, reject_unknown_sender_domain, ... Why is the sender logic repeated in the recipient restrictions? I must not have explained very clearly that I had added that when it stopped working because it's what I last had working properly, and it did get it to work again. I'd now like to identify why the method we worked out two days ago stopped working and started to reject mail again. Thanks, Alex
Re: Sender access issues
On Tue, Feb 24, 2015 at 09:02:43PM -0500, Alex Regan wrote: On 02/24/2015 08:34 PM, Viktor Dukhovni wrote: On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, ... permit smtpd_sender_restrictions = reject_unknown_sender_domain - The problem was that you were checking in two places, but added an exception in only one of them. So you're saying that if I didn't have the smtpd_sender_restrictions at all, it would have worked in recipient restrictions, correct? Yes, that is, the exception would have been effective. Maybe. Depends whether any of these need exceptions for hosts in mynetworks (previously in effect when they were part of the recipient restrictions). See http://www.postfix.org/postconf.5.html#smtpd_delay_reject Some people find the all in one approach simpler. With Postfix 2.10 or later (only), you're encouraged to move relay control into smtpd_relay_restrictions. Otherwise depends on your needs and which you find easier to work with. Now that I've separated it out, I believe I'll have an easier time of understanding it and maintaining it. Hmm... Would you describe what my configuration would look like using the new relay restrictions? Are you running Postfix 2.10 or later? http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions http://www.postfix.org/SMTPD_ACCESS_README.html#lists -- Viktor.
Re: Sender access issues
On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, ... permit smtpd_sender_restrictions = reject_unknown_sender_domain - The problem was that you were checking in two places, but added an exception in only one of them. These check_{client,sender}_access restrictions have been in the recipient restrictions section for a long time, without realizing I was doing it incorrectly. It is not incorrect, rather a matter of style. However: Instead, I've configured sender, client, and helo restrictions, as such, and removed them all from recipient restrictions: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks reject_unknown_sender_domain smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_checks, check_client_access cidr:/etc/postfix/client_access_blocklist smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks Does that now seem correct? Maybe. Depends whether any of these need exceptions for hosts in mynetworks (previously in effect when they were part of the recipient restrictions). See http://www.postfix.org/postconf.5.html#smtpd_delay_reject Some people find the all in one approach simpler. With Postfix 2.10 or later (only), you're encouraged to move relay control into smtpd_relay_restrictions. Otherwise depends on your needs and which you find easier to work with. Multiple top-level restriction classes make it possible to white list some checks and not others (OK in one list of rules terminates only that list of fules). So that's more flexible, but can be more complex. I had proposed some time back generalizing the set of top-level lists beyond just adding smtpd_relay_restrictions, but there's not been much interest in going beyond the current fixed quartet of (client, helo, sender, recipient). -- Viktor.
Re: Sender access issues
Hi, On 02/24/2015 08:34 PM, Viktor Dukhovni wrote: On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote: smtpd_recipient_restrictions = ... check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, ... permit smtpd_sender_restrictions = reject_unknown_sender_domain - The problem was that you were checking in two places, but added an exception in only one of them. So you're saying that if I didn't have the smtpd_sender_restrictions at all, it would have worked in recipient restrictions, correct? These check_{client,sender}_access restrictions have been in the recipient restrictions section for a long time, without realizing I was doing it incorrectly. It is not incorrect, rather a matter of style. However: Instead, I've configured sender, client, and helo restrictions, as such, and removed them all from recipient restrictions: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks reject_unknown_sender_domain smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_checks, check_client_access cidr:/etc/postfix/client_access_blocklist smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks Does that now seem correct? Maybe. Depends whether any of these need exceptions for hosts in mynetworks (previously in effect when they were part of the recipient restrictions). See http://www.postfix.org/postconf.5.html#smtpd_delay_reject Some people find the all in one approach simpler. With Postfix 2.10 or later (only), you're encouraged to move relay control into smtpd_relay_restrictions. Otherwise depends on your needs and which you find easier to work with. Now that I've separated it out, I believe I'll have an easier time of understanding it and maintaining it. Hmm... Would you describe what my configuration would look like using the new relay restrictions? Thanks, Alex
Re: Sender access issues
Hi, smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net, check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:/etc/postfix/relay_recips_access, check_recipient_access pcre:/etc/postfix/property_recip_map, check_recipient_access pcre:/etc/postfix/recipient_checks, check_recipient_access pcre:/etc/postfix/relay_recips_ecartis, permit smtpd_sender_restrictions = reject_unknown_sender_domain - Yes, thanks so much. I just came back to check my mail and follow up that I just figured it out! It occurred to me when I realized I had somehow lost track that I was working with recipient restrictions. These check_{client,sender}_access restrictions have been in the recipient restrictions section for a long time, without realizing I was doing it incorrectly. Instead, I've configured sender, client, and helo restrictions, as such, and removed them all from recipient restrictions: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks reject_unknown_sender_domain smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_checks, check_client_access cidr:/etc/postfix/client_access_blocklist smtpd_helo_restrictions = check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks Does that now seem correct? Thanks, Alex
Re: Sender access issues
On Tue, Feb 24, 2015 at 04:59:50PM -0500, Alex Regan wrote: Feb 24 16:48:55 mail01 postfix/smtpd[1945]: NOQUEUE: reject: RCPT from smtp.lanyonmail.com[50.56.12.142]: 450 4.1.8 myuser@lanyonrs.local: Sender address rejected: Domain not found; - from=myuser@lanyonrs.local to=phyl...@example.com proto=ESMTP helo=Mail.LanyonMail.com smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, --- --- reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net, check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:/etc/postfix/relay_recips_access, check_recipient_access pcre:/etc/postfix/property_recip_map, check_recipient_access pcre:/etc/postfix/recipient_checks, check_recipient_access pcre:/etc/postfix/relay_recips_ecartis, permit smtpd_sender_restrictions = reject_unknown_sender_domain - Notice anything? -- Viktor.