Discussion:
Postscreen_access_list not working
(too old to reply)
Dave Jones
2016-08-04 18:25:01 UTC
Permalink
I have to be overlooking something here but I have tripple
checked everything and read the documentation multiple
times.

I am trying to use https://github.com/stevejenkins/postwhite
to bypass postscreen checks, primarily dnsbl checks. It
appears that postscreen is not bypassing dnsbl checks:

main.cf
=======
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr

/etc/postfix/postscreen_spf_whitelist.cidr
===============================
...
69.252.207.0/25 permit
...


Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from [69.252.207.29]:34789: 550 5.7.1 Service unavailable;
client [69.252.207.29] blocked using ubl.unsubscore.com;
from=<***@atomicgraphics.biz>, to=<***@example.com>,
proto=ESMTP, helo=<comomta-ch2-03v.sys.comcast.net>

I am seeing postfix/postscreen WHITELISTED entries in the
log for $mynetworks but not anything from
postscreen_spf_whitelist.cidr which has over 750 entries. I am
having to add off-network CIDRs to $mynetworks temporarily to
bypass dnsbl checks.

postfix-3.0.5-1.el6.x86_64

Thanks,
Dave
Wietse Venema
2016-08-04 19:13:26 UTC
Permalink
Post by Dave Jones
I have to be overlooking something here but I have tripple
checked everything and read the documentation multiple
times.
I am trying to use https://github.com/stevejenkins/postwhite
to bypass postscreen checks, primarily dnsbl checks. It
main.cf
=======
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
/etc/postfix/postscreen_spf_whitelist.cidr
===============================
...
69.252.207.0/25 permit
What is in the "...'?
Post by Dave Jones
Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from [69.252.207.29]:34789: 550 5.7.1 Service unavailable;
client [69.252.207.29] blocked using ubl.unsubscore.com;
proto=ESMTP, helo=<comomta-ch2-03v.sys.comcast.net>
Try:

postmap -q 69.252.207.29 cidr:/etc/postfix/postscreen_spf_whitelist.cidr

Wietse
Dave Jones
2016-08-04 19:25:19 UTC
Permalink
The ... was many lines above and below in that file.

The output shows 'permit' like expected. I keep
forgetting about that very handy postmap -q command
for troubleshooting.

This may have been a typ-o I just found. Sorry for
the false alarm.

I have been trying to bypass dnsbl and rate limiting
for SASL authenticated senders and I may have put
an invalid option in the postscreen_access_list. I get
so much mail that I didn't see the warning: in the logs
until now.

Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list and the
smtpd_client_event_limit_exceptions that could bypass
dnsbl and rate limiting for SASL authenticated senders?
Post by Wietse Venema
Post by Dave Jones
I have to be overlooking something here but I have tripple
checked everything and read the documentation multiple
times.
I am trying to use https://github.com/stevejenkins/postwhite
to bypass postscreen checks, primarily dnsbl checks. It
main.cf
=======
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
/etc/postfix/postscreen_spf_whitelist.cidr
===============================
...
69.252.207.0/25 permit
What is in the "...'?
Post by Dave Jones
Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from [69.252.207.29]:34789: 550 5.7.1 Service unavailable;
client [69.252.207.29] blocked using ubl.unsubscore.com;
proto=ESMTP, helo=<comomta-ch2-03v.sys.comcast.net>
postmap -q 69.252.207.29 cidr:/etc/postfix/postscreen_spf_whitelist.cidr
Wietse
/dev/rob0
2016-08-04 20:50:21 UTC
Permalink
Post by Dave Jones
Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list and the
smtpd_client_event_limit_exceptions that could bypass
dnsbl and rate limiting for SASL authenticated senders?
No, since the SASL AUTH won't happen until the client is talking to
smtpd.

You really do not want to put MUAs through postscreen. It is not
made for such a task. What you need to do is one of these choices:
1. Have users use submission (port 587)
2. Have a separate IP address (smtpd only) for submission on 25
3. Disable postscreen
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Dave Jones
2016-08-04 21:08:27 UTC
Permalink
Thank you for the response.

I do have a submission setup but you reminded me to
look in he master.conf and disable rate limiting:

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_client_recipient_rate_limit=0
-o smtpd_client_message_rate_limit=0
-o smtpd_client_new_tls_session_rate_limit=0

Are the *_limit=0 lines above correct for overriding the
main.cf values?

Thanks,
Dave
Post by /dev/rob0
Post by Dave Jones
Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list and the
smtpd_client_event_limit_exceptions that could bypass
dnsbl and rate limiting for SASL authenticated senders?
No, since the SASL AUTH won't happen until the client is talking to
smtpd.
You really do not want to put MUAs through postscreen. It is not
1. Have users use submission (port 587)
2. Have a separate IP address (smtpd only) for submission on 25
3. Disable postscreen
--
http://rob0.nodns4.us/
Noel Jones
2016-08-04 21:54:39 UTC
Permalink
Post by Dave Jones
Thank you for the response.
I do have a submission setup but you reminded me to
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_client_recipient_rate_limit=0
-o smtpd_client_message_rate_limit=0
-o smtpd_client_new_tls_session_rate_limit=0
Are the *_limit=0 lines above correct for overriding the
main.cf values?
Thanks,
Dave
Referring to the fine manual,
http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit
a setting of 0 disables this feature and will override the main.cf
setting.

But you might consider setting a high limit rather than no limit.
Generally about 10x the expected peak traffic should do nicely.



-- Noel Jones

Loading...