On Jul 30, 2024, at 15:58, Wietse Venema <wie...@porcupine.org> wrote:
>
> John Thorvald Wodder II via Postfix-users:
>> On Jul 30, 2024, at 15:36, Wietse Venema via Postfix-users
>> <postfix-users@postfix.org> wrote:
>>>
>>> John Thorvald Wodder II via Postfix-users:
>>>> (I previously posted this request for help on ServerFault but got
>>>> no responses, so I'm hoping the official Postfix mailing list will
>>>> go better.)
>>>
>>> Your access tables can only affect the client DNS domain name, and
>>> domain names that appear in SMTP commmands such as HELO, MAIL FROM
>>> and RCPT TO.
>>>
>>> Those tables have no effect on the content of message headers. For
>>> that, the tables are called header_checks.
>>
>> I am aware of that.
>
> Then there was no need to spend so much text on that.
I mentioned multiple attempted configurations in my original e-mail as I
figured people would want to know everything I'd tried.
>> That's why my original attempt to match against
>> "stupidspammers.example" failed, but I would expect my subsequent
>> attempt to instead match against "spamgateway.nil" (which the
>> actual mail servers, per the logs, are subdomains of) to work.
>> Why isn't it working?
>
> If the Postfix SMTP daemon logs spamgateway.nil as the client
> hostname ("connect from something.spamgateway.nil"), then
> check_client_access will match that.
>
> Of course it doesn't because spamgateway.nil does not exist.
I'm not claiming that "spamgateway.nil" is the actual domain. I'm using a
placeholder here because I don't want to draw attention to an actual, real
domain. The DEBUG README you linked to even says to anonymize host names. Are
you expecting the domains to be anonymized exactly like "AAAAA.AAA" as in the
README?
> For actual support, you can reduce the detective work providing
> CONCRETE details as in https://www.postfix.org/DEBUG_README.html#mail
>
> Actual configuration as reported by Postfix.
OK, `postconf -n` with domain names and cert paths replaced with "REDACTED":
### BEGIN
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
luser_relay = REDACTED
mailbox_command = procmail -a "$EXTENSION"
ORIGINAL_RECIPIENT="$ORIGINAL_RECIPIENT"
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = REDACTED, localhost, localhost.$mydomain, localhost.localdomain
mydomain = REDACTED
myhostname = REDACTED
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = REDACTED
non_smtpd_milters = inet:localhost:12301
notify_classes = bounce, 2bounce, data, delay, resource, software
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access
smtpd_tls_cert_file = REDACTED
smtpd_tls_key_file = REDACTED
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
### END
> Actual events as logged by Postfix.
OK, a session from /var/log/mail.log, with domains & IPs censored over with A's
and D's:
### BEGIN
Jul 30 18:42:21 firefly postfix/smtpd[2315370]: connect from
AA-DD.AAAAAAAAAAAA.AAA[DDD.DDD.DDD.DD]
Jul 30 18:42:22 firefly postgrey[414604]: action=pass, reason=client AWL,
client_name=AA-DD.AAAAAAAAAAAA.AAA, client_address=DDD.DDD.DDD.DD/32,
sender=aaaaaa.aaaaaaaaaaa...@aa.aaaaaaaaaa.aaa, recipient=a...@aaaaaaaaa.aaa
Jul 30 18:42:22 firefly postgrey[414604]: cleaning up old logs...
Jul 30 18:42:22 firefly postfix/smtpd[2315370]: C12C913B050:
client=AA-DD.AAAAAAAAAAAA.AAA[DDD.DDD.DDD.DD]
Jul 30 18:42:22 firefly postfix/cleanup[2315373]: C12C913B050:
message-id=<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...@aa.aaaaaaaaaa.aaa>
Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: AA-DD.AAAAAAAAAAAA.AAA
[DDD.DDD.DDD.DD] not internal
Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: not authenticated
Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: DKIM verification
successful
Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: s=fm
d=AAAAAAAAAAA-AA.AAA a=rsa-sha256 SSL
Jul 30 18:42:23 firefly postfix/qmgr[2307335]: C12C913B050:
from=<aaaaaa.aaaaaaaaaaa...@aa.aaaaaaaaaa.aaa>, size=46479, nrcpt=1 (queue
active)
Jul 30 18:42:23 firefly postfix/smtpd[2315370]: disconnect from
AA-DD.AAAAAAAAAAAA.AAA[DDD.DDD.DDD.DD] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
quit=1 commands=7
Jul 30 18:42:24 firefly postfix/local[2315374]: C12C913B050:
to=<aaaa...@aaaaaaaaa.aaa>, orig_to=<a...@aaaaaaaaa.aaa>, relay=local,
delay=1.8, delays=1.2/0.01/0/0.62, dsn=2.0.0, status=sent (delivered to
command: procmail -a "$EXTENSION" ORIGINAL_RECIPIENT="$ORIGINAL_RECIPIENT")
Jul 30 18:42:24 firefly postfix/qmgr[2307335]: C12C913B050: removed
### END
-- John Wodder
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
