On 3/1/2014 2:10 PM, Noel Jones wrote: > On 3/1/2014 12:17 PM, Ben Johnson wrote:
Noel, thank you for the incredibly detailed response. I appreciate your time. >> Hello, >> >> I have a need to whitelist a specific sender domain (and any subdomain >> thereof) such that some of Postfix's normal smtpd_recipient_restrictions >> are bypassed. Specifically, I need for network blacklist checks to be >> skipped when the message originates from a specific domain (or any >> subdomain thereof). > > Postfix processes restriction in the order you specify. First match > wins. > > So your whitelist entry must occur before anything that might reject > the message. > Okay, that makes sense. > **IMPORTANT NOTE** if the client is being rejected by postscreen, > special measures will need to be taken. It would have been nice if > you included full "postconf -n" output and a sample log of the > unwanted reject so we would know for sure. > > The rest of this message assumes the reject is not happening in > postscreen. > > Postscreen isn't installed on this system. I believe that Postscreen is available for Postfix >= 2.8, and this is Postfix 2.7. Your assumption is valid. :) But this is indeed an important note, because I have another system on which Postscreen *is* installed, and I will need to make the equivalent changes there, but I can tackle that separately. >> >> Basically, a legitimate, external sender (whom I have nothing to do with >> and no control over) whose outgoing mail is handled via Network >> Solutions has ended-up on a few blacklists. I need for these messages to >> be delivered to recipients whose mail services we do host/control. The >> mail seems to come from *.myregisteredsite.com (that's the helo= value >> in Postfix's log), where * varies. To be clear, the sender's actual >> email address domain is completely different. (The myregisteredsite.com >> domain belongs to Network Solutions.) >> >> I have read through http://www.postfix.org/RESTRICTION_CLASS_README.html >> and it seems as though a check of this nature would be subject to SMTP >> sender address spoofing. I guess I can live with that, but I'm all ears >> if there is a way to harden the approach against spoofing. > > > A restriction class is probably overkill for this. Restriction > classes are useful for two-factor processing, such as "allow this > specific client only to this specific recipient", or "allow this > sender address only from this client". > > > I see; thanks for clarifying this point. >> After consulting the relevant documentation, I still have several questions: >> >> 1.) Is smtpd_recipient_restrictions the correct directive to use for >> this purpose? > > Yes, although if you're using any of the other smtpd_*_restrictions > sections you'll need to whitelist the sender there too. > This surprises me. Isn't the network blacklist check that is giving me problems for this particular sender being performed only for smtpd_recipient_restrictions? I am using the following smtpd_*_restrictions: smtpd_recipient_restrictions smtpd_sender_restrictions smtpd_client_restrictions smtpd_helo_restrictions smtpd_data_restrictions (more details in postconf -n output at end of this message) Do I really need to implement the whitelist rules for all 5 of these? >> >> 2.) Do I need to use the sender's SMTP server domain name? Or do I need >> to use the sender's proper email address domain (the portion after the >> local-part)? Is there any reason to create entries for both? > > Probably using the sender's email address domain is appropriate for > this particular application. Although sender addresses are easily > forged, this isn't usually a big problem unless it's a popular > forgery target such as a bank or one of the free mail services. > > You should use a check_sender_access with the sender's email address > domain. > Okay; in the example configuration change that you provide below, you recommend that I put check_sender_access within smtpd_recipient_restrictions. That makes sense. Should I be using check_sender_access with smtpd_sender_restrictions, too? Currently, I am, and I believe that ISPConfig (similar to Zimbra, etc.) created this initial configuration. >> >> 3.) What is the syntax required to whitelist all subdomains of the >> sender's parent domain? Would I simply use "example.com" (without the >> quotes, of course) to include all subdomains thereof, e.g., >> sub1.example.com, sub2.sub1.example.com, etc.? If so, is there a way to >> include *only* the top-level domain (and exclude any subdomains)? > > subdomain matching is controlled by the > http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains > > Default postfix is to match subdomains in access maps, so > example.com > will match example.com and all subdomains. > > To match only the top-level domain, you can remove set > parent_domain_matches_subdomains = > ie. set it empty, and then specify in all your maps > example.com # match only example.com > .example.com # match subdomains of example.com, but not example.com > > Brilliant; thank you for the thorough explanation. >> >> 4.) I want to ensure that whitelisted senders are subject to all of the >> normal checks, except for the three reject_ rules at the end (see config >> below). Should I move check_recipient_access down the list so that it's >> just above reject_rbl_client to achieve the desired result? Or might >> doing so have unintended consequences? > > Put your check_sender_access statement just above the reject_rbl_* > statements. > Got it; thanks for the clear example below. >> >> 5.) Is there a reliable mechanism by which to test/ensure that the >> whitelist rule is functioning correctly? Something like this perhaps >> (where example.com is the whitelisted sender's domain)? >> >> postmap -q example.com mysql:/etc/postfix/mysql-virtual_recipient.cf > > Yes, that will test the map. > >> >> Doing this returns "OK". Should I be looking for something specific in >> the mail log when mail arrives from a sender at the whitelisted domain, too? > > If you have postfix 2.10 or newer, see: > http://www.postfix.org/postconf.5.html#smtpd_log_access_permit_actions > > Otherwise, postfix logs nothing special for permit/OK actions. The > lack of a reject indicates it's working. > Alas, this is Postfix 2.7.0. So, I'll just have to assume that a lack of rejections equates to "working as intended". > >> >> >> Here is the current value for the smtpd_recipient_restrictions directive >> (Postfix 2.7.0): >> >> smtpd_recipient_restrictions = >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_unauth_destination, >> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, >> reject_sender_login_mismatch, >> reject_invalid_hostname, >> reject_non_fqdn_hostname, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> check_policy_service unix:private/policy-spf, >> check_policy_service inet:127.0.0.1:10023, > > # whitelist goes here: > > check_sender_access maptype:/path/to/map > > >> reject_rbl_client zen.spamhaus.org, >> reject_rhsbl_helo dbl.spamhaus.org, >> reject_rhsbl_sender dbl.spamhaus.org >> >> The contents of /etc/postfix/mysql-virtual_recipient.cf are as follows: > > > > > > > > > > > -- Noel Jones > Here's the full postconf -n output in case it's helpful in addressing any of my follow-up questions. Thanks again for all your help! alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = localhost, localhost.localdomain myhostname = mydomain.com mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_reverse_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,reject_sender_login_mismatch, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /root/ssl/postfix.mydomain.com.pem smtpd_tls_key_file = /root/ssl/mydomain.com.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000
