Hello, I am doing greylisting in smtpd_client_restrictions and later a policy server check in smtpd_recipient_restrictions (postconf included below). smtpd_delay_reject is on (the default).
The weird behaviour I am seeing is that despite a greylisting match
(4xx) in sender restrictions, the recipient restrictions are still
all being evaluated. In the logs, this looks as follows:
postgrey[27226]: action=greylist, reason=new, client_name=unknown,
client_address=120.28.68.66, sender=reconnoitering...@bk.ru,
recipient=new-...@pobox.madduck.net
postfwd2/policy[1002]: [RULES] rule=3, id=REJECT_HELO_NODNS,
client=unknown[120.28.68.66], sender=<reconnoitering...@bk.ru>,
recipient=<new-...@pobox.madduck.net>, helo=<[120.28.68.66]>,
proto=ESMTP, state=RCPT, delay=0.00s,
hits=SET_HELO;SET_NODNS;REJECT_HELO_NODNS, action=REJECT Blocked
- Suspicious HELO [[120.28.68.66]] and missing reverse DNS
[120.28.68.66]
postfix/smtpd[14225]: NOQUEUE: reject: RCPT from
unknown[120.28.68.66]: 554 5.7.1 <new-...@pobox.madduck.net>:
Recipient address rejected: Blocked - Suspicious HELO
[[120.28.68.66]] and missing reverse DNS [120.28.68.66];
from=<reconnoitering...@bk.ru> to=<new-...@pobox.madduck.net>
proto=ESMTP helo=<[120.28.68.66]>
This comes as a surprise, especially since the SMTPD_ACCESS_README
says the following about the case when smtpd_delay_reject is on and
all lists are only processed after RCPT TO was sent:
Restriction lists are still evaluated in the proper order of
(client, helo, etrn) or (client, helo, sender, relay, recipient,
data, or end-of-data) restrictions. When a restriction list
(example: client) evaluates to REJECT or DEFER the restriction
lists that follow (example: helo, sender, etc.) are skipped.
In my case, the postgrey check in the sender restrictions returns
DEFER, and the README leads me to assume that the recipient list
would be skipped. But it is not.
The end result (5xx) isn't so bad, but I'd still like to understand
what's going on.
Is this behaviour tunable? Or am I doing something wrong?
Thanks!
martin
postconf -n follows:
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
body_checks = pcre:$config_directory/body_checks.pcre
broken_sasl_auth_clients = no
common_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unlisted_recipient
common_sender_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain check_sender_mx_access
cidr:$config_directory/bogus_mx_addresses.cidr
common_submission_access = permit_mynetworks permit_sasl_authenticated
permit_tls_clientcerts
config_directory = /etc/postfix
debug_peer_level = 1
defer_transports = hold
delay_warning_time = 3h
disable_vrfy_command = yes
header_checks = pcre:$config_directory/header_checks.pcre
pcre:$config_directory/header_checks_antivirus.pcre
inet_interfaces = all
inet_protocols = all
mailbox_command_maps = hash:$config_directory/mailbox_command_maps.hash
mailbox_transport_maps = hash:$config_directory/mailbox_transport_maps.hash
mailman_destination_recipient_limit = 1
message_size_limit = 26214400
mydomain = madduck.net
mynetworks_style = host
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = ignore
postscreen_dnsbl_action = ignore
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps
$mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps
$relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps
$sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps
$transport_maps $virtual_alias_domains $virtual_alias_maps
$virtual_mailbox_domains $virtual_mailbox_maps
prxysql = proxy:${sql}
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_ccerts.hash
relay_domains = hash:$config_directory/mailman_lists.hash
relocated_maps = ${prxysql}relocated_maps.pgsql
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_fingerprint_digest = sha1
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:$config_directory/smtp_tls_policy.hash
smtp_tls_security_level = may
smtpd_client_restrictions = reject_unauth_pipelining check_recipient_access
pcre:$config_directory/allow_admin_rcpts.pcre check_client_access
pcre:$config_directory/greylist_dialups.pcre
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname check_recipient_access
pcre:$config_directory/allow_admin_rcpts.pcre check_helo_access
pcre:$config_directory/reject_helo_myhostname.pcre
smtpd_milters = unix:/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = common_recipient_restrictions
check_recipient_access pcre:$config_directory/tarpits.pcre
check_recipient_access pcre:$config_directory/allow_admin_rcpts.pcre
check_policy_service inet:127.0.0.1:10022 reject_unauth_destination
smtpd_relay_restrictions =
smtpd_restriction_classes = target_greylisting common_submission_access
submission_client_restrictions submission_helo_restrictions
common_sender_restrictions submission_sender_restrictions
common_recipient_restrictions submission_recipient_restrictions
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = smtprelay.madduck.net
smtpd_sasl_path = private/auth
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access
pcre:$config_directory/blacklisted_senders.pcre check_recipient_access
pcre:$config_directory/allow_admin_rcpts.pcre common_sender_restrictions
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org_combined.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/$myhostname.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/$myhostname.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
soft_bounce = no
sql = pgsql:${config_directory}/
strict_rfc821_envelopes = yes
submission_client_restrictions = common_submission_access
submission_helo_restrictions = common_submission_access
submission_recipient_restrictions = common_recipient_restrictions
common_submission_access
submission_sender_restrictions = common_sender_restrictions
common_submission_access
target_greylisting = check_policy_service unix:/private/postgrey
transport_maps = ${prxysql}transport_maps.pgsql
hash:$config_directory/mailman_lists.hash
virtual_alias_maps = ${prxysql}virtual_alias_maps.pgsql
virtual_gid_maps = ${prxysql}virtual_gid_maps.pgsql
virtual_mailbox_base = /
virtual_mailbox_domains = ${prxysql}virtual_mailbox_domains.pgsql
virtual_mailbox_maps = ${prxysql}virtual_mailbox_maps.pgsql
virtual_minimum_uid = 70000
virtual_uid_maps = ${prxysql}virtual_uid_maps.pgsql
--
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
"for art to exist, for any sort of aesthetic activity or perception to
exist, a certain physiological precondition is indispensable:
intoxication."
-- friedrich nietzsche
spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
