On 7/29/17 4:31 PM, Bill Cole wrote:
On 29 Jul 2017, at 0:13, deoren wrote:
I suppose it was out of ignorance, but I've used 'OK' in the past to
accept mail from specific domains that are blacklisted by Spamhaus or
have partial DNS records.
Recently I came across several threads here that noted how this was a
bad idea. Looking over the Postfix documentation I seemed to find
confirmation of that.
That's not strictly correct. It is more precise to do domain-wide
whitelisting in a milter or policy daemon that can authenticate the
sender and/or client host in some fashion but if you're not set up for
that and can accept the risk of trivial address forgery, whitelisting in
Postfix works.
Thanks for the tip. It's been on my todo list for some time, but I'm
making do for now. I hope to carve out some time to implement such a
tool in the future.
As a result, I've attempted to start using 'DUNNO' for whitelisting
sender domains instead of 'OK'. I don't appear to be having any luck
though, so I wanted to reach out and get confirmation that the DUNNO
action applies to what I'm trying to do.
It does not. As documented, "DUNNO" only terminates whatever matching is
being done within the current map. It does not bypass matching in
additional maps for the same restriction (e.g. check_sender_access) or
in later restrictions (e.g. reject_rbl_client) within the same
restriction list, or in any restriction list that is applied after the
current one.
Ah, that makes sense. I was really struggling to understand how DUNNO
works. Thank you for spelling it out to me.
The only way to exempt a sender address from blockage by a DNSBL (i.e.
based on client IP) is to map the address to 'OK' (or its synonym
'permit') before the reject_rbl_client directive that you want to not
apply, within the same restriction list.
That's what I've done in the past, but coming across other threads
recommending the use of DUNNO instead of OK confused me. Evidently I
missed the context of those recommendations, which gave me the
impression that DUNNO terminated execution within the same restriction
list. Again, many thanks for spelling that out.
I'm attempting to match on the planttherapy.com portion of the 'FROM'
value by using 'planttherapy.com' as my left-hand value. I've used the
'OK' right-hand value as a response in the past for domains I've
wished to whitelist with the check_sender_access directive. Those
entries still work well, though as I've mentioned earlier I now
question whether I should be using 'OK' for whitelisting.
Using 'OK' in check_sender_access for white;listing isn't wrong, it's
just imperfect and can be risky. It is trivial to forge the SMTP sender
address, so absent additional measures applied AFTER
smtpd_recipient_restrictions (such as replicating the reject_rbl_client
rules in smtpd_relay_restrictions) your 'OK' whitelisting makes you an
open relay for anyone forging the exempted address or domain.
So if I return 'OK' within smtpd_recipient_restrictions, will these
rules within smtpd_relay_restrictions be sufficient to prevent granting
them relay access? I was under the impression that it was?
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
Even with
an anti-relay backstop, whitelisting on a domain-wide basis is usually
unnecessarily broad, opening your local mailboxes to spam with forged
senders.
I usually try to match the specific sending address where possible,
unless I see that they're auto-generated, which I presume is an intent
to track specific use of the email, etc.
The best solution for this in the specific case you cite would
be a pcre or regex check_sender_access map limiting the exemption to a
sender pattern that isn't obvious, perhaps:
/^[A-Z0-9]{25}@bounce.planttherapy.com$/i OK
N.B.: that's a *guess* about what the local-part pattern might be for
that mailing list. Check your actual senders to figure out if it is too
tight.
Another option for some cases would be IP-based whitelisting in
check_client_access, however in this case I think Spamhaus is absolutely
correct to be listing the address, as it has been a tool for
subscription-bombing. It is also a nuisance to find all the IPs of a
sketchy ESP like listrak, since they have a lot of little blocks almost
all smaller than a /24.
Good tips, thank you.
I think in a few cases I have whitelisted IPs in the past, but rarely.
I'm fortunate that I'm mostly doing this as a personal/learning setup,
so I've been able to apply what I feel are aggressive checks while
falling back to whitelisting specific sites that send mail that we're
interested in.
So far so good, aside from various points of ignorance like the one you
helped clear up for me. I still have much to learn.
