smtpd_restrictions sanity check

Hi all,

Hopefully I don't have the most frequently asked question, but I'm
spinning my wheels and perhaps followed some bad advice. I hoped
someone could look over my recipient restrictions to see if I'm making
some kind of mistake:

smtpd_recipient_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        check_client_access hash:/etc/postfix/client_checks,
        check_recipient_access pcre:/etc/postfix/relay_recips_checks,
        check_helo_access hash:/etc/postfix/helo_checks,
        check_sender_access hash:/etc/postfix/sender_checks,
        check_sender_access hash:/etc/postfix/disallow_my_domain,
        permit_mynetworks,
        check_recipient_access pcre:/etc/postfix/recipient_checks,
        reject_unauth_destination,
        reject_maps_rbl,
        permit

I originally had permit_mynetworks further up, but it seems
client_checks was then being ignored, despite the client not being on
my network.

I'm now trying to provide a mail server that is not part of my
networks to my network.

I also have a handful of cron scripts that run on this remote network
that send mail to my network, but with internal hostnames that aren't
resolvable once they reach my network. Do I just add them to my
postfix hosts file or is there a way to avoid checking the hostname
(sender access?) so they aren't rejected with "Sender address
rejected: Domain not found"?

Thanks,
Alex

On Sat, 31 Oct 2009, Alex wrote:

Place this higher so you can sooner reject unauthorized relay attempts.

>         reject_maps_rbl,
>         permit

This is unnecessary; remove it.

> I originally had permit_mynetworks further up, but it seems
> client_checks was then being ignored, despite the client not being on
> my network.

This is not how Postfix works, so you borked something, somewhere else
in your configuration.  Instead of showing a snippet of your main.cf,
paste the entire output of 'postconf -n' and logging that corresponds to
your problem description.

> I also have a handful of cron scripts that run on this remote network
> that send mail to my network, but with internal hostnames that aren't
> resolvable once they reach my network. Do I just add them to my
> postfix hosts file or is there a way to avoid checking the hostname
> (sender access?) so they aren't rejected with "Sender address
> rejected: Domain not found"?

Add them to a whitelist and consult that whitelist (with
check_client_access) before rejecting unknown (or non-fqdn) sender
domains.

--
Sahil Tandon <sahil@...>

* Alex <mysqlstudent@...>:

>         reject_maps_rbl,

That's deprecated, for years.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt@... | http://www.charite.de
           

Alex a écrit :

smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        permit_mynetworks
        #permit_sasl_authenticated
        reject_unauth_destination
        #
        reject_invalid_hostname
        reject_non_fqdn_hostname
        reject_unknown_sender_domain
        #
        check_client_access hash:/etc/postfix/client_checks
        check_recipient_access pcre:/etc/postfix/relay_recips_checks
        check_helo_access hash:/etc/postfix/helo_checks
        check_sender_access hash:/etc/postfix/sender_checks
        check_sender_access hash:/etc/postfix/disallow_my_domain
        check_recipient_access pcre:/etc/postfix/recipient_checks
        #
        reject_rbl_client zen.spamhaus.org
       

Hi,

How about pop-before-smtp? Would I add the check_client_access
immediately after permit_mynetworks above?

Will this configuration above prevent DSL or cable users without
reverse, only forward DNS from being accepted? I keep receiving the
following:

Nov  1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
hostname host6714200122235.direcway.com verification failed: Host not
found

The IP is in the popb4smtp db, but they still receive a relaying denied message:

Nov  1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
from=<joe3135@...> to=<John@...>

Thanks so much.
Best regards,
Alex

Alex a écrit :
yes. but it is worth investing your time to implement SASL instead.

if you use pop before smtp, use a dedicated file and use it before
reject_unauth_destination (so that they can relay).

> Will this configuration above prevent DSL or cable users without
> reverse, only forward DNS from being accepted? I keep receiving the
> following:
>
> Nov  1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
> hostname host6714200122235.direcway.com verification failed: Host not
> found
>

this is only informational.

> The IP is in the popb4smtp db, but they still receive a relaying denied message:
>
> Nov  1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
> unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
> from=<joe3135@...> to=<John@...>
>

make sure the pop4smtp check comes before reject_unauth_destination. if
this is the case and you still see "Relay access denied", check  that
the IP of the client is in the map at the time of the check. and of
course, the map should return OK for the IP.