Hello postfix admins,
I have always placed all restrictions in smtpd_recipient_restrictions. Over
the last few days, I have been experimenting with breaking the restrictions
up into client, helo, sender, etc. I ran into something odd (to me), when
permit_mynetworks is in smtpd_helo_restrictions.
---
My pretend config:
Version 2.6
host ip: 10.123.45.37
mynetworks = 127.0.0.0/8, 10.123.45.0/24, 10.123.46.0/24
relay_domains = $mynetworks, $transport_maps
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_reverse_client_hostname, check_reverse_client_hostname_access
regexp:/etc/postfix/rhv1, reject_rbl_client bla.bla.org
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
---
So I notice that the logs show that when a evil client sends a helo name of
10.123.45.37 (my ip), they sometimes get stopped by the
reject_unknown_reverse_client_hostname, other times by the
check_reverse_client_hostname_access map, and other times by one of the rbl
checks.
So I whip up a check_helo_access map with
10.123.45.37 521 Go Away (postmap -q shows that it works).
Then change smtpd_helo_restrictions to
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
/etc/postfix/heloaccess, reject_non_fqdn_helo_hostname
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
Then I try the check_helo_access in smtpd_client_restrictions.
smtpd_client_restrictions = permit_mynetworks, check_helo_access ..., etc.
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
If I remove permit_mynetworks from smtpd_helo_restrictions, the rules in my
check_helo_access map "hit" and are applied.
---
In my line of thinking, $mynetworks is a list of IP addresses. The client
hostname is a string.
I would think that having permit_mynetworks in smtpd_helo_restrictions,
would be applied as "accept any helo, from hosts in mynetworks".
But it appears that permit_mynetworks is testing the helo string, against
the list of IP's in $mynetworks (as strings), then allowing it to pass.
Is this the way it's supposed to behave? It seems wrong to me.
If this is the way it's supposed to behave, then what about
permit_mynetworks in smtpd_client_restrictions?
Let's say an evil client sets the reverse dns for their IP to
"10.123.45.37". Would permit_mynetworks in smtpd_client_restrictions, then
permit the client to pass?
Thanks.
