Re: header_checks not working correctly
On 2009-12-07 Christopher Adams wrote: > I have a file sender_blacklist: > > m...@somplace.org/ REJECT Does the unobfuscated address in that line really have the trailing slash? If so, that may be the reason why the mail goes through. Also, as sahil pointed out, you may want to clarify if you want to reject/discard envelope From or header From address. Plus, the log entry of a spurious delivery plus the headers of the corresponding mail would be most helpful. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Re: header_checks not working correctly
On Mon, 07 Dec 2009, Christopher Adams wrote: > Okay, it is obvious that my approach to getting assistance is all > wrong. True, I did not understand the posting protocol, mainly > because I don't post often to this list. Yes, I did begin the posting > with the subject of header_checks. Some kind fellow gave me some > assistance and I attempted to try that solution, as it seemed a better > way to approach it. Please don't take offense; we're just trying to help you ask questions in a structured way so it is easier to understand *why* email you think should be discarded, is actually being delivered. The kind fellow's suggested solution may well be what you need if and *only* if the From: header in the emails you are trying to block matches the envelope sender. If you are unfamiliar with those terms, please use google. > Rather than talking about how counterproductive it seems for everyone to > jump on me for making innocent errors in my posting, what exactly would be > helpful in this case? Again, we're not jumping on you to be nitpicky, but just because we still do not understand exactly what is happening. > Should I post a new thread with the information about using a hash map for > smptd_sender_restrictions instead of using header_checks? Please enlighten > me. Revert to your original configuration with header_checks, 'postfix reload', and send a test email you think should be blocked. Then follow-up on this thread showing us: 1) output of postconf -n 2) headers of the 'offending' email that is delivered 3) exact contents of your header_checks file 4) unaltered log snippet that shows the 'offending' email delivery -- Sahil Tandon
Re: header_checks not working correctly
> >From: Christopher Adams >To: postfix-users@postfix.org >Sent: Tue, December 8, 2009 5:51:13 AM >Subject: Re: header_checks not working correctly > >Okay, it is obvious that my approach to getting assistance is all wrong. True, >I did not understand the posting protocol, mainly because I don't post often >to this list. Yes, I did begin the posting with the subject of header_checks. >Some kind fellow gave me some assistance and I attempted to try that solution, >as it seemed a better way to approach it. > >Rather than talking about how counterproductive it seems for everyone to jump >on me for making innocent errors in my posting, what exactly would be helpful >in this case? > >Should I post a new thread with the information about using a hash map for >smptd_sender_restrictions instead of using header_checks? Please enlighten me. > >Thanks for your assistance. > The posting protocol is dictated in the first email you received when you signed up. If you adhere to what is requested in that basic email and follow this: TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail after that it would be easy to find a solution to your issue. It would all give us better incite on what it is that is causing you grief. I would post a new thread, but that is my opinion. > > > >On Mon, Dec 7, 2009 at 9:37 PM, Sahil Tandon wrote: > >On Mon, 07 Dec 2009, Christopher Adams wrote: >> >> >>> Okay, no more ignorant posts. I will give you all that I have based on the >>>>> protocol as spelled out. >>>>> >>>>> 1. Summary of the problem: attempting to ban an email address using a hash >>>>> map does not work. The message is delivered anyway. >> >>Sorry, this is a bad summary. You began this thread asking about header >>>>checks -- stick to that, unless you are not trying to block a particular >>>>From: header after all. >> >>>>> 2. Error messages: none >> >>>>Mostly irrelevant. >> >> >>>>> 3. Logging: Maillog shows that the message was delivered. >> >>SHOW this *and* the message headers of the mail that was delivered. >> >> >>>>> 4. Output from postconf - n: >> >>I did not see your header_checks directive. >> >> >>>>-- >>>>Sahil Tandon >> > > >-- >Christopher Adams >adam...@gmail.com >
Re: header_checks not working correctly
Okay, it is obvious that my approach to getting assistance is all wrong. True, I did not understand the posting protocol, mainly because I don't post often to this list. Yes, I did begin the posting with the subject of header_checks. Some kind fellow gave me some assistance and I attempted to try that solution, as it seemed a better way to approach it. Rather than talking about how counterproductive it seems for everyone to jump on me for making innocent errors in my posting, what exactly would be helpful in this case? Should I post a new thread with the information about using a hash map for smptd_sender_restrictions instead of using header_checks? Please enlighten me. Thanks for your assistance. On Mon, Dec 7, 2009 at 9:37 PM, Sahil Tandon wrote: > On Mon, 07 Dec 2009, Christopher Adams wrote: > > > Okay, no more ignorant posts. I will give you all that I have based on > the > > protocol as spelled out. > > > > 1. Summary of the problem: attempting to ban an email address using a > hash > > map does not work. The message is delivered anyway. > > Sorry, this is a bad summary. You began this thread asking about header > checks -- stick to that, unless you are not trying to block a particular > From: header after all. > > > 2. Error messages: none > > Mostly irrelevant. > > > 3. Logging: Maillog shows that the message was delivered. > > SHOW this *and* the message headers of the mail that was delivered. > > > 4. Output from postconf - n: > > I did not see your header_checks directive. > > -- > Sahil Tandon > -- Christopher Adams adam...@gmail.com
Re: header_checks not working correctly
On Mon, 07 Dec 2009, Christopher Adams wrote: > Okay, no more ignorant posts. I will give you all that I have based on the > protocol as spelled out. > > 1. Summary of the problem: attempting to ban an email address using a hash > map does not work. The message is delivered anyway. Sorry, this is a bad summary. You began this thread asking about header checks -- stick to that, unless you are not trying to block a particular From: header after all. > 2. Error messages: none Mostly irrelevant. > 3. Logging: Maillog shows that the message was delivered. SHOW this *and* the message headers of the mail that was delivered. > 4. Output from postconf - n: I did not see your header_checks directive. -- Sahil Tandon
Re: header_checks not working correctly
> >From: Christopher Adams >To: Postfix users >Sent: Tue, December 8, 2009 5:00:37 AM >Subject: Re: header_checks not working correctly > >Okay, no more ignorant posts. I will give you all that I have based on the >protocol as spelled out. > >1. Summary of the problem: attempting to ban an email address using a hash map >does not work. The message is delivered anyway. > >2. Error messages: none > >3. Logging: Maillog shows that the message was delivered. Show the log messages stating as such. Show the full contents of your header_check file, so we can see your syntax. > >4. Output from postconf - n: > >alias_database = hash:/etc/postfix/aliases >alias_maps = hash:/etc/postfix/aliases, >hash:/usr/local/mailman/data/aliases >>command_directory = /usr/sbin >config_directory = /etc/postfix >daemon_directory = /usr/libexec/postfix >debug_peer_level = 2 >default_privs = nobody >default_verp_delimiters = += >html_directory = no >mail_owner = postfix >>mail_spool_directory = /var/spool/mail >mailq_path = /usr/bin/mailq.postfix >manpage_directory = /usr/share/man >message_size_limit = 2097152 >mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, >listsmart.$mydomain, swiki.$mydomain >>myhostname = listsmart.osl.state.or.us >mynetworks = 159.121.122.0/24, 127.0.0.0/8 >mynetworks_style = subnet >>newaliases_path = /usr/bin/newaliases >queue_directory = /var/spool/postfix >readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES >recipient_delimiter = + >sample_directory = /usr/share/doc/postfix-2.0.16/samples >>sendmail_path = /usr/sbin/sendmail.postfix >setgid_group = postdrop >smtpd_recipient_restrictions = permit_sasl_authenticated, >permit_mynetworks,reject_unauth_destination, reject_rbl_client >bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client >cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, >reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unknown_sender_domain, >reject_unknown_recipient_domain, permit >>smtpd_sender_restrictions = check_sender_access >>hash:/etc/postfix/sender_blacklist >transport_maps = hash:/etc/postfix/transport >unknown_local_recipient_reject_code = 450 > >5. Output from postfinger: link in DEBUG document doesn't allow me accss. > >So, there you have it. Thanks to anyone who is interested in assisting. > > >On Mon, Dec 7, 2009 at 5:42 PM, Wietse Venema wrote: > >Christopher Adams: >> >>> Thank you for your helpful reply. >>>>> >>>>> So, now I have this in main.cf: >>>>> >>>>> smtpd_sender_restrictions = >>>>>check_sender_access hash:/etc/postfix/sender_blacklist >>>>> >>>>> I have a file sender_blacklist: >>>>> >>>>> m...@somplace.org/ REJECT >>>>> >>>>> I issued the command 'postmap hash:/etc/postfix/sender_blacklist' >>>>> >>>>> I issued the command: 'postfix reload' >>>>> >>>>> If I send from the address m...@somplace.org, it is not rejected. >>>>> >> >>Now is a good time to stop posting fragments, and follow >>>>the instructions in the mailing list welcome message. >> >>>>Wietse >> >>>>TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail >> >>>>TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html >> >>>>Thank you for using Postfix. >> > > >-- >Christopher Adams >adam...@gmail.com >
Re: header_checks not working correctly
Okay, no more ignorant posts. I will give you all that I have based on the protocol as spelled out. 1. Summary of the problem: attempting to ban an email address using a hash map does not work. The message is delivered anyway. 2. Error messages: none 3. Logging: Maillog shows that the message was delivered. 4. Output from postconf - n: alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases, hash:/usr/local/mailman/data/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_privs = nobody default_verp_delimiters = += html_directory = no mail_owner = postfix mail_spool_directory = /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2097152 mydestination = $myhostname, localhost.$mydomain, localhost.localdomain, listsmart.$mydomain, swiki.$mydomain myhostname = listsmart.osl.state.or.us mynetworks = 159.121.122.0/24, 127.0.0.0/8 mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES recipient_delimiter = + sample_directory = /usr/share/doc/postfix-2.0.16/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_blacklist transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 450 5. Output from postfinger: link in DEBUG document doesn't allow me accss. So, there you have it. Thanks to anyone who is interested in assisting. On Mon, Dec 7, 2009 at 5:42 PM, Wietse Venema wrote: > Christopher Adams: > > Thank you for your helpful reply. > > > > So, now I have this in main.cf: > > > > smtpd_sender_restrictions = > >check_sender_access hash:/etc/postfix/sender_blacklist > > > > I have a file sender_blacklist: > > > > m...@somplace.org/ REJECT > > > > I issued the command 'postmap hash:/etc/postfix/sender_blacklist' > > > > I issued the command: 'postfix reload' > > > > If I send from the address m...@somplace.org, it is not rejected. > > > > Now is a good time to stop posting fragments, and follow > the instructions in the mailing list welcome message. > >Wietse > > TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail > > TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html > > Thank you for using Postfix. > -- Christopher Adams adam...@gmail.com
Re: header_checks not working correctly
Christopher Adams: > Thank you for your helpful reply. > > So, now I have this in main.cf: > > smtpd_sender_restrictions = >check_sender_access hash:/etc/postfix/sender_blacklist > > I have a file sender_blacklist: > > m...@somplace.org/ REJECT > > I issued the command 'postmap hash:/etc/postfix/sender_blacklist' > > I issued the command: 'postfix reload' > > If I send from the address m...@somplace.org, it is not rejected. > Now is a good time to stop posting fragments, and follow the instructions in the mailing list welcome message. Wietse TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
Re: header_checks not working correctly
Thank you for your helpful reply. So, now I have this in main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_blacklist I have a file sender_blacklist: m...@somplace.org/ REJECT I issued the command 'postmap hash:/etc/postfix/sender_blacklist' I issued the command: 'postfix reload' If I send from the address m...@somplace.org, it is not rejected. On Mon, Dec 7, 2009 at 4:47 PM, Ansgar Wiechers wrote: > On 2009-12-07 Christopher Adams wrote: > > I am trying to ban an address from sending through my system. > > > > I have this in main.cf: > > > > header_checks = regexp:/etc/postfix/header_checks > > > > In the header_checks file, I have this: > > > > /^From: .*someplace.org/ DISCARD > > > > I did a 'postfix reload' > > > > Messages from someplace.org are still being delivered. What have I > > missed? > > man 5 header_checks > > | Message headers added by the cleanup(8) daemon itself are excluded > | from inspection. Examples of such message headers are From:, To:, > | Message-ID:, Date:. > > Why don't you use an access map for this? > > # in main.cf: > smtpd_sender_restrictions = > ... > check_sender_access hash:/etc/postfix/sender_blacklist, > ... > > # in sender_blacklist: > somplace.org DISCARD > > Don't forget to postmap sender_blacklist, and perhaps consider REJECTing > instead of DISCARDing. > > Regards > Ansgar Wiechers > -- > "Abstractions save us time working, but they don't save us time learning." > --Joel Spolsky > -- Christopher Adams adam...@gmail.com
Re: header_checks not working correctly
On Tue, 08 Dec 2009, Ansgar Wiechers wrote: > On 2009-12-07 Christopher Adams wrote: > > I am trying to ban an address from sending through my system. > > > > I have this in main.cf: > > > > header_checks = regexp:/etc/postfix/header_checks > > > > In the header_checks file, I have this: > > > > /^From: .*someplace.org/ DISCARD > > > > I did a 'postfix reload' > > > > Messages from someplace.org are still being delivered. What have I > > missed? > > man 5 header_checks > > | Message headers added by the cleanup(8) daemon itself are excluded > | from inspection. Examples of such message headers are From:, To:, > | Message-ID:, Date:. It will work if the header isn't added by cleanup(8) and exists in the mail as it arrives, which I am guessing is the OP's use case. > Why don't you use an access map for this? In case the envelope sender != From: header. :-) -- Sahil Tandon
Re: header_checks not working correctly
On Mon, 07 Dec 2009, Christopher Adams wrote: > I am trying to ban an address from sending through my system. > > I have this in main.cf: > > header_checks = regexp:/etc/postfix/header_checks > > In the header_checks file, I have this: > > /^From: .*someplace.org/ DISCARD > > I did a 'postfix reload' > > Messages from someplace.org are still being delivered. What have I missed? The DEBUG_README, which contains guidelines for asking help on this mailing list. Show us the output of 'postconf -n', the entire header_checks file, the headers of the email that is being delivered despite your wishes, and the logs related to that delivery. If paranoia impels you to obfuscate email addresses, domain names, IPs, et cetera, please do it consistently. -- Sahil Tandon
Re: header_checks not working correctly
On 2009-12-07 Christopher Adams wrote: > I am trying to ban an address from sending through my system. > > I have this in main.cf: > > header_checks = regexp:/etc/postfix/header_checks > > In the header_checks file, I have this: > > /^From: .*someplace.org/ DISCARD > > I did a 'postfix reload' > > Messages from someplace.org are still being delivered. What have I > missed? man 5 header_checks | Message headers added by the cleanup(8) daemon itself are excluded | from inspection. Examples of such message headers are From:, To:, | Message-ID:, Date:. Why don't you use an access map for this? # in main.cf: smtpd_sender_restrictions = ... check_sender_access hash:/etc/postfix/sender_blacklist, ... # in sender_blacklist: somplace.org DISCARD Don't forget to postmap sender_blacklist, and perhaps consider REJECTing instead of DISCARDing. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
header_checks not working correctly
I am trying to ban an address from sending through my system. I have this in main.cf: header_checks = regexp:/etc/postfix/header_checks In the header_checks file, I have this: /^From: .*someplace.org/ DISCARD I did a 'postfix reload' Messages from someplace.org are still being delivered. What have I missed? -- Christopher Adams adam...@gmail.com