Postscreen_access_list not working

Discussion:

(too old to reply)

Dave Jones

2016-08-04 18:25:01 UTC

I have to be overlooking something here but I have tripple
checked everything and read the documentation multiple
times.

I am trying to use https://github.com/stevejenkins/postwhite
to bypass postscreen checks, primarily dnsbl checks. It
appears that postscreen is not bypassing dnsbl checks:

main.cf
=======
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr

/etc/postfix/postscreen_spf_whitelist.cidr
===============================
...
69.252.207.0/25 permit
...

Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from [69.252.207.29]:34789: 550 5.7.1 Service unavailable;
client [69.252.207.29] blocked using ubl.unsubscore.com;
from=<***@atomicgraphics.biz>, to=<***@example.com>,
proto=ESMTP, helo=<comomta-ch2-03v.sys.comcast.net>

I am seeing postfix/postscreen WHITELISTED entries in the
log for $mynetworks but not anything from
postscreen_spf_whitelist.cidr which has over 750 entries. I am
having to add off-network CIDRs to $mynetworks temporarily to
bypass dnsbl checks.

postfix-3.0.5-1.el6.x86_64

Thanks,
Dave

Wietse Venema

2016-08-04 19:13:26 UTC

Permalink

Post by Dave Jones
I have to be overlooking something here but I have tripple
checked everything and read the documentation multiple
times.
I am trying to use https://github.com/stevejenkins/postwhite
to bypass postscreen checks, primarily dnsbl checks. It
main.cf
=======
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
/etc/postfix/postscreen_spf_whitelist.cidr
===============================
...
69.252.207.0/25 permit

What is in the "...'?

Post by Dave Jones
Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from [69.252.207.29]:34789: 550 5.7.1 Service unavailable;
client [69.252.207.29] blocked using ubl.unsubscore.com;
proto=ESMTP, helo=<comomta-ch2-03v.sys.comcast.net>

Try:

postmap -q 69.252.207.29 cidr:/etc/postfix/postscreen_spf_whitelist.cidr

Wietse

Dave Jones

2016-08-04 19:25:19 UTC

Permalink

The ... was many lines above and below in that file.

The output shows 'permit' like expected. I keep
forgetting about that very handy postmap -q command
for troubleshooting.

This may have been a typ-o I just found. Sorry for
the false alarm.

I have been trying to bypass dnsbl and rate limiting
for SASL authenticated senders and I may have put
an invalid option in the postscreen_access_list. I get
so much mail that I didn't see the warning: in the logs
until now.

Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list and the
smtpd_client_event_limit_exceptions that could bypass
dnsbl and rate limiting for SASL authenticated senders?

Post by Wietse Venema

What is in the "...'?

postmap -q 69.252.207.29 cidr:/etc/postfix/postscreen_spf_whitelist.cidr
Wietse

/dev/rob0

2016-08-04 20:50:21 UTC

Permalink

Post by Dave Jones
Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list and the
smtpd_client_event_limit_exceptions that could bypass
dnsbl and rate limiting for SASL authenticated senders?

No, since the SASL AUTH won't happen until the client is talking to
smtpd.

You really do not want to put MUAs through postscreen. It is not
made for such a task. What you need to do is one of these choices:
1. Have users use submission (port 587)
2. Have a separate IP address (smtpd only) for submission on 25
3. Disable postscreen

--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Dave Jones

2016-08-04 21:08:27 UTC

Permalink

Thank you for the response.

I do have a submission setup but you reminded me to
look in he master.conf and disable rate limiting:

submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_client_recipient_rate_limit=0
-o smtpd_client_message_rate_limit=0
-o smtpd_client_new_tls_session_rate_limit=0

Are the *_limit=0 lines above correct for overriding the
main.cf values?

Thanks,
Dave

Post by /dev/rob0

No, since the SASL AUTH won't happen until the client is talking to
smtpd.
You really do not want to put MUAs through postscreen. It is not
1. Have users use submission (port 587)
2. Have a separate IP address (smtpd only) for submission on 25
3. Disable postscreen
--
http://rob0.nodns4.us/

Noel Jones

2016-08-04 21:54:39 UTC

Permalink

Post by Dave Jones
Thank you for the response.
I do have a submission setup but you reminded me to
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_client_recipient_rate_limit=0
-o smtpd_client_message_rate_limit=0
-o smtpd_client_new_tls_session_rate_limit=0
Are the *_limit=0 lines above correct for overriding the
main.cf values?
Thanks,
Dave

Referring to the fine manual,
http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit
a setting of 0 disables this feature and will override the main.cf
setting.

But you might consider setting a high limit rather than no limit.
Generally about 10x the expected peak traffic should do nicely.

-- Noel Jones