the problem that I have already describedI have several rules against spamers and one of them is to reject the ips that are not resolved. So when the resolution of the dns fails those ips are rejected for not having an inverse. In the access I have the ips that interest me that these locks pass, but even so, as you can see in the connection log are rejected by not solve the ip. Those ips really do have an inverse but for some fault it does not resolve at the moment of connecting with my postfix.
The two postconf are from the server with which I have this problem.In other emails I was told that the rule of the inverse resolution reject_unknown_reverse_client_hostname was earlier in the line than the access, so I changed the position but still I still have this failure. The example of SMTP that I have set, although it does not match the ip, as I have put in another email is an ip of the same company, in this case a digital newspaper that uses several ips to send emails.
the problem I do not have it in the shipment if not in the reception of mails. I am sorry not to explain myself, I hope that I understand what I want to express
El 02/04/2019 a las 20:08, Noel Jones escribió:
On 4/2/2019 12:15 PM, Francesc Peñalvez wrote:the problem is with the directive reject_unknown_reverse_client_hostname when there is a failure in the resolution of the ip blocks the connection with this ip, to avoid adding the access file the ip as indicated in the first mail, but still blocking that ip by not resolving. activate the debug on that ip in case I saw the reason and that's what I get between many data when that ip connectsI don't quite understand what you're trying to say above, you don't show logs indicating the problem you're trying to solve, and your example SMTP session doesn't seem to match your posted config, so I'll give some general pointers.In your posted config, no locally delivered mail gets past the "permit_auth_destination" statements, bypassing most of your restrictions.Mail must be permitted (or not rejected) in every smtpd_*_restrictions section to be accepted.It doesn't make much sense to use both reject_unknown_client_hostname and reject_unknown_reverse_client_hostname, especially with reject_unknown_reverse_client_hostname listed second.Looks like you have a lot of duplicated statements.In master.cf for your submission and smtps listeners, you should disable all those extra restrictions, eg.-o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions= -- Noel JonesOut: 250-ETRN Out: 250-AUTH PLAIN LOGIN Out: 250-AUTH=PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL From:<webmas...@elperiodico.com> SIZE=118853 Out: 250 2.1.0 Ok In: RCPT To:<naz...@almogavers.net> Out: 450 4.7.25 Client host rejected: cannot find your hostname, [217.124.241.125] In: DATA Out: 554 5.5.1 Error: no valid recipients In: RSET Out: 250 2.0.0 Ok In: QUIT Out: 221 2.0.0 Bye alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no allow_untrusted_routing = yes append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_list = 213.4.61.170 195.77.249.6 212.0.124.176 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man masquerade_domains = almogavers.net message_size_limit = 102400000 meta_directory = /etc/postfix milter_default_action = accept milter_protocol = 6 mydestination = ns.almogavers.net, localhost.almogavers.net, localhost,canalonanismo.org, canalonanismo.es, almogavers.net, web.almogavers.net,active.almogavers.net, 5.39.93.184, 37.187.18.41 myhostname = almogavers.net mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.2 almogavers.net 192.168.1.0/24 mynetworks_style = class newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:3277notify_classes = bounce, 2bounce, delay, policy, protocol, resource, software postscreen_access_list = permit_mynetworks cidr:/etc/postfix/trusted_ips.cidrpostscreen_blacklist_action = drop postscreen_dnsbl_action = enforcepostscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_replypostscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3b.barracudacentral.org=127.0.0.[2..11]*2 bl.spamcop.net swl.spamhaus.org*-4postscreen_dnsbl_threshold = 1 postscreen_dnsbl_ttl = 10m postscreen_greet_action = enforce queue_directory = /var/spool/postfix readme_directory = no recipient_delimiter = + sample_directory = /etc/postfix sender_bcc_maps = hash:/etc/postfix/bcc sender_dependent_default_transport_maps = hash:/etc/postfix/dependent sendmail_path = /usr/sbin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_dns_support_level = enabled smtp_host_lookup = dns smtp_tls_CApath = /etc/ssl/certs smtp_tls_ciphers = medium smtp_tls_loglevel = 1 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_client_restrictions = permit_mynetworks permit_inet_interfacespermit_tls_all_clientcerts permit_sasl_authenticated permit_auth_destinationcheck_client_access hash:/etc/postfix/access smtpd_hard_error_limit = 20 smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/trusted_ips.cidr, reject_invalid_hostname, permit smtpd_milters = inet:localhost:3277smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/access permit_auth_destinationreject_unauth_destination reject_invalid_hostname reject_unknown_recipient_domain reject_unknown_client_hostname reject_unknown_reverse_client_hostname reject_unverified_recipient check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_inet_interfaces check_client_access hash:/etc/postfix/access reject_unknown_reverse_client_hostname smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous noplaintext smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sender_restrictions = permit_mynetworks check_client_accesshash:/etc/postfix/access permit_auth_destination permit_sasl_authenticated check_sender_access inline:{ { almogavers.net = REJECT local sender fromunauthorized client } } smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_ciphers = medium smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtual smtp inet n - y - - smtpd -o content_filter=spamassassin -o smtpd_sasl_auth_enable=yes receive_override_options=no_header_body_checks smtp inet n - y - 1 postscreen dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy smtpd pass - - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o content_filter=spamassassin smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickup fifo n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)ifmail unix - n n - - pipe flags=F user=ftnargv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq.user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipientscalemail-backend unix - n n - 2 pipe flags=Ruser=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}${user} ${extension} mailman unix - n n - - pipe flags=FRuser=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}${user}policyd-spf unix - n n - 0 spawn user=policyd-spfargv=/usr/bin/policyd-spf smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o disable_dns_lookups=yes -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yesspamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}dane unix - - n - - smtp -o smtp_dns_support_level=dnssec -o smtp_tls_security_level=dane postlog unix-dgram n - n - 1 postlogd El 02/04/2019 a las 18:38, Bill Cole escribió:On 2 Apr 2019, at 11:17, Francesc Peñalvez wrote:following the instructions given to me place the access in front of the rule that is not supported ips unresolved, and as I still have the same problems I added a debug to that ip that interests me and among other things in this debug I find this: 16:43:05 ns postfix / smtpd [28258]: generic_checks: name = check_client_access Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name unknown addr 213.4.61.170 Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc / postfix / access: unknown: not found Apr 2 16:43:05 ns postfix / smtpd [28258]: check_addr_access: 213.4.61.170my access file contains: 213.4.61.170 OK Where do I have the error?It is impossible for us to tell, because you have not provided enough information. The solution may be as simple as using 'postmap' to rebuild the operational form of the access map (e.g. /etc/postfix/access.db) or it may be something more complex.See http://www.postfix.org/DEBUG_README.html#mail for how to effectively report problems here.Most importantly: 1. Turn off debug logging. 2. Provide the output of 'postconf -nf' and 'postconf -Mf'3. Provide log lines relevant to a single SMTP session with the problem.
smime.p7s
Description: Firma criptográfica S/MIME