Nataraj wrote:
p...@alt-ctrl-del.org wrote:
Hello postfix admins,
I have always placed all restrictions in
smtpd_recipient_restrictions. Over the last few days, I have been
experimenting with breaking the restrictions up into client, helo,
sender, etc. I ran into something odd (to me), when permit_mynetworks
is in smtpd_helo_restrictions.
---
My pretend config:
Version 2.6
host ip: 10.123.45.37
mynetworks = 127.0.0.0/8, 10.123.45.0/24, 10.123.46.0/24
relay_domains = $mynetworks, $transport_maps
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_reverse_client_hostname,
check_reverse_client_hostname_access regexp:/etc/postfix/rhv1,
reject_rbl_client bla.bla.org
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
---
So I notice that the logs show that when a evil client sends a helo
name of 10.123.45.37 (my ip), they sometimes get stopped by the
reject_unknown_reverse_client_hostname, other times by the
check_reverse_client_hostname_access map, and other times by one of
the rbl checks.
So I whip up a check_helo_access map with
10.123.45.37 521 Go Away (postmap -q shows that it works).
Then change smtpd_helo_restrictions to
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
/etc/postfix/heloaccess, reject_non_fqdn_helo_hostname
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
p...@alt-ctrl-del.org
Then I try the check_helo_access in smtpd_client_restrictions.
smtpd_client_restrictions = permit_mynetworks, check_helo_access ...,
etc.
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
If I remove permit_mynetworks from smtpd_helo_restrictions, the rules
in my check_helo_access map "hit" and are applied.
Whoops, I missed that you already tried removing permit_mynetworks.
---
In my line of thinking, $mynetworks is a list of IP addresses. The
client hostname is a string.
I would think that having permit_mynetworks in
smtpd_helo_restrictions, would be applied as "accept any helo, from
hosts in mynetworks".
But it appears that permit_mynetworks is testing the helo string,
against the list of IP's in $mynetworks (as strings), then allowing
it to pass.
Is this the way it's supposed to behave? It seems wrong to me.
If this is the way it's supposed to behave, then what about
permit_mynetworks in smtpd_client_restrictions?
Let's say an evil client sets the reverse dns for their IP to
"10.123.45.37". Would permit_mynetworks in smtpd_client_restrictions,
then permit the client to pass?
I would be inclined to agree with you on what the desired behavior
should be. What are your smtpd_recipient_restrictions? Also, what
happens if you remove the permit_mynetworks from
smtpd_helo_restrictions and then try the hello command that matches an
address in mynetworks? What I'm asking, is if the helo restrictions
is really where the permit is happening?
Nataraj
