On 29 Jul 2017, at 0:13, deoren wrote:
I suppose it was out of ignorance, but I've used 'OK' in the past to
accept mail from specific domains that are blacklisted by Spamhaus or
have partial DNS records.
Recently I came across several threads here that noted how this was a
bad idea. Looking over the Postfix documentation I seemed to find
confirmation of that.
That's not strictly correct. It is more precise to do domain-wide
whitelisting in a milter or policy daemon that can authenticate the
sender and/or client host in some fashion but if you're not set up for
that and can accept the risk of trivial address forgery, whitelisting in
Postfix works.
As a result, I've attempted to start using 'DUNNO' for whitelisting
sender domains instead of 'OK'. I don't appear to be having any luck
though, so I wanted to reach out and get confirmation that the DUNNO
action applies to what I'm trying to do.
It does not. As documented, "DUNNO" only terminates whatever matching is
being done within the current map. It does not bypass matching in
additional maps for the same restriction (e.g. check_sender_access) or
in later restrictions (e.g. reject_rbl_client) within the same
restriction list, or in any restriction list that is applied after the
current one.
The only way to exempt a sender address from blockage by a DNSBL (i.e.
based on client IP) is to map the address to 'OK' (or its synonym
'permit') before the reject_rbl_client directive that you want to not
apply, within the same restriction list.
[...]
I'm attempting to match on the planttherapy.com portion of the 'FROM'
value by using 'planttherapy.com' as my left-hand value. I've used the
'OK' right-hand value as a response in the past for domains I've
wished to whitelist with the check_sender_access directive. Those
entries still work well, though as I've mentioned earlier I now
question whether I should be using 'OK' for whitelisting.
Using 'OK' in check_sender_access for white;listing isn't wrong, it's
just imperfect and can be risky. It is trivial to forge the SMTP sender
address, so absent additional measures applied AFTER
smtpd_recipient_restrictions (such as replicating the reject_rbl_client
rules in smtpd_relay_restrictions) your 'OK' whitelisting makes you an
open relay for anyone forging the exempted address or domain. Even with
an anti-relay backstop, whitelisting on a domain-wide basis is usually
unnecessarily broad, opening your local mailboxes to spam with forged
senders. The best solution for this in the specific case you cite would
be a pcre or regex check_sender_access map limiting the exemption to a
sender pattern that isn't obvious, perhaps:
/^[A-Z0-9]{25}@bounce.planttherapy.com$/i OK
N.B.: that's a *guess* about what the local-part pattern might be for
that mailing list. Check your actual senders to figure out if it is too
tight.
Another option for some cases would be IP-based whitelisting in
check_client_access, however in this case I think Spamhaus is absolutely
correct to be listing the address, as it has been a tool for
subscription-bombing. It is also a nuisance to find all the IPs of a
sketchy ESP like listrak, since they have a lot of little blocks almost
all smaller than a /24.
