p...@alt-ctrl-del.org wrote:
Hello postfix admins,
I have always placed all restrictions in smtpd_recipient_restrictions.
Over the last few days, I have been experimenting with breaking the
restrictions up into client, helo, sender, etc. I ran into something odd
(to me), when permit_mynetworks is in smtpd_helo_restrictions.
---
My pretend config:
Version 2.6
host ip: 10.123.45.37
mynetworks = 127.0.0.0/8, 10.123.45.0/24, 10.123.46.0/24
relay_domains = $mynetworks, $transport_maps
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_reverse_client_hostname,
check_reverse_client_hostname_access regexp:/etc/postfix/rhv1,
reject_rbl_client bla.bla.org
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
---
So I notice that the logs show that when a evil client sends a helo name
of 10.123.45.37 (my ip), they sometimes get stopped by the
reject_unknown_reverse_client_hostname, other times by the
check_reverse_client_hostname_access map, and other times by one of the
rbl checks.
So I whip up a check_helo_access map with
10.123.45.37 521 Go Away (postmap -q shows that it works).
Then change smtpd_helo_restrictions to
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
/etc/postfix/heloaccess, reject_non_fqdn_helo_hostname
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
p...@alt-ctrl-del.org
Then I try the check_helo_access in smtpd_client_restrictions.
smtpd_client_restrictions = permit_mynetworks, check_helo_access ...,
etc.
But clients that send a helo of 10.123.45.37, still get as far as
reject_unknown_reverse_client_hostname, or
check_reverse_client_hostname_access map, or one of the rbl checks.
If I remove permit_mynetworks from smtpd_helo_restrictions, the rules in
my check_helo_access map "hit" and are applied.
---
In my line of thinking, $mynetworks is a list of IP addresses. The client
hostname is a string.
I would think that having permit_mynetworks in smtpd_helo_restrictions,
would be applied as "accept any helo, from hosts in mynetworks".
But it appears that permit_mynetworks is testing the helo string, against
the list of IP's in $mynetworks (as strings), then allowing it to pass.
Is this the way it's supposed to behave? It seems wrong to me.
If this is the way it's supposed to behave, then what about
permit_mynetworks in smtpd_client_restrictions?
Let's say an evil client sets the reverse dns for their IP to
"10.123.45.37". Would permit_mynetworks in smtpd_client_restrictions,
then permit the client to pass?
I would be inclined to agree with you on what the desired behavior should
be. What are your smtpd_recipient_restrictions? Also, what happens if
you remove the permit_mynetworks from smtpd_helo_restrictions and then try
the hello command that matches an address in mynetworks? What I'm asking,
is if the helo restrictions is really where the permit is happening?
Nataraj
Hold on...
That machine is running an experimental build of 2.6, from 2008. A quick
test of my config on 2.7.1, appears to be working. I'll try some more
testing.
But here is my config anyway.
The check_helo_access map was tried as both db and regexp. check_helo_access
was tried in helo and client restrictions, then in both. Testing was done
via telnet, with fake From and To. All of the access maps contain rejects or
DUNNOs. There are no OKs.
smtpd_client_restrictions = permit_mynetworks, check_client_access
cidr:/etc/postfix/iprange.cf, reject_unknown_reverse_client_hostname,
check_reverse_client_hostname_access
regexp:/etc/postfix/reject_hostnames_v1.cf, reject_rbl_client
zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
reject_rbl_client combined.njabl.org
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
regexp:/etc/postfix/heloaccess.cf, reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unlisted_recipient, reject_unauth_destination, check_policy_service
inet:127.0.0.1:10031, permit
P.S.
I take it that I am expected to bottom post here. But is it ok, if I crop
out parts of the original message (if it's long)?
