Discussion:
REJECT and "optional text" question...
(too old to reply)
Pedro David Marco
2016-07-26 03:46:54 UTC
Permalink
Hello,

I have a sender restriction like this:

smtpd_sender_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/special_clients

and in special_clients file:

205.201.128.108 REJECT You are blacklisted



What i see is that it works and the client gets rejected BUT with the message "Access denied" and not "You are blacklisted"..

example log:

2016 Jul 23 04:11:05 host1 postfix/smtpd[10484]: NOQUEUE: reject: RCPT from mail108.us4.mcsv.net[205.201.128.108]: 554 5.7.1 <bounce-mc.us11_44614205.940081-mpar=***@mail108.us4.mcsv.net>: Sender address rejected: Access denied; from=<bounce-mc.us11_44614205.940081-mpar=***@mail108.us4.mcsv.net> to=<mpar=iblhelper.net> proto=ESMTP helo=<mail108.us4.mcsv.net>


any idea why, please?

Thanks!

Pedreter.
Wietse Venema
2016-07-26 10:03:14 UTC
Permalink
Post by Pedro David Marco
check_client_access hash:/etc/postfix/special_clients
This is check_CLIENT_access, which rejects a CLIENT.
Post by Pedro David Marco
Sender address rejected: Access denied;
That is blocked by check_SENDER_access, which rejects a SENDER.

Wietse
Pedro David Marco
2016-07-26 11:52:02 UTC
Permalink
Thanks Wietse...

yes, i have a check_sender_access - after-  the check_client_access, buti must be doing something wrong because the reject should have been done bythe check_client_access:
                check_client_access hash:/etc/postfix/special_clients        
                check_sender_access regexp:/etc/postfix/special_senders
Postfix does not complain at all about files fomat but...Wietse, is the syntax correct? (for special_clients file)
205.201.128.108    REJECT You are blacklisted
i have also tried...

205.201.128.0/24     REJECT You are blacklisted
how do i reject  from that IP with that text???

Thanks!
Pedreter.

From: Wietse Venema <***@porcupine.org>
To: Postfix users <postfix-***@postfix.org>
Sent: Tuesday, July 26, 2016 12:03 PM
Subject: Re: REJECT and "optional text" question...
                check_client_access hash:/etc/postfix/special_clients
This is check_CLIENT_access, which rejects a CLIENT.
Sender address rejected: Access denied;
That is blocked by check_SENDER_access, which rejects a SENDER.

    Wietse
Bill Cole
2016-07-26 13:00:25 UTC
Permalink
Post by Pedro David Marco
Thanks Wietse...
yes, i have a check_sender_access - after-  the check_client_access,
buti must be doing something wrong because the reject should have been
                check_client_access
hash:/etc/postfix/special_clients        
                check_sender_access
regexp:/etc/postfix/special_senders
Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.
Post by Pedro David Marco
Postfix does not complain at all about files fomat but...Wietse, is
the syntax correct? (for special_clients file)
205.201.128.108    REJECT You are blacklisted
That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.
Post by Pedro David Marco
i have also tried...
205.201.128.0/24     REJECT You are blacklisted
That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted
Post by Pedro David Marco
how do i reject  from that IP with that text???
Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.
Pedro David Marco
2016-07-26 13:24:27 UTC
Permalink
Thanks Bill...
this is my restrictions config:


From: Bill Cole <postfixlists-***@billmail.scconsult.com>
To: Postfix users <postfix-***@postfix.org>
Sent: Tuesday, July 26, 2016 3:00 PM
Subject: Re: REJECT and "optional text" question...
Post by Pedro David Marco
Thanks Wietse...
yes, i have a check_sender_access - after-  the check_client_access,
buti must be doing something wrong because the reject should have been
                check_client_access
hash:/etc/postfix/special_clients        
                check_sender_access
regexp:/etc/postfix/special_senders
Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.
Post by Pedro David Marco
Postfix does not complain at all about files fomat but...Wietse, is
the syntax correct? (for special_clients file)
205.201.128.108    REJECT You are blacklisted
That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.
Post by Pedro David Marco
i have also tried...
205.201.128.0/24     REJECT You are blacklisted
That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted
Post by Pedro David Marco
how do i reject  from that IP with that text???
Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.
Bill Cole
2016-07-26 13:28:51 UTC
Permalink
Post by Pedro David Marco
Thanks Bill...
Sent: Tuesday, July 26, 2016 3:00 PM
Subject: Re: REJECT and "optional text" question...
[remainder of quoted text removed]

I think something went wrong with your copy/paste, since there's no
restrictions config to be found in that message.
Pedro David Marco
2016-07-26 13:33:53 UTC
Permalink
Thanks Bill...
these are my restrictions...

smtpd_restriction_classes =
                clase_spamtrap-spam

clase_spamtrap-spam =
                check_client_access regexp:/etc/postfix/spamtrap-spam,
                permit

smtpd_sender_restrictions =
                permit_mynetworks,
                check_sender_access hash:/etc/postfix/wl_senders,
                check_sender_access hash:/etc/postfix/wl_recipients,
                check_client_access hash:/etc/postfix/bl_clients,                check_client_access hash:/etc/postfix/special_clients,
                reject_unknown_reverse_client_hostname,
                reject_unknown_sender_domain,
                check_sender_access regexp:/etc/postfix/special_senders,
               
smtpd_recipient_restrictions =
                permit_mynetworks,
                reject_unauth_destination,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
               

My understading is that order is ok...

and yes, i use postmap for files that need it...
Thanks!
Pedreter.

From: Bill Cole <postfixlists-***@billmail.scconsult.com>
To: Postfix users <postfix-***@postfix.org>
Sent: Tuesday, July 26, 2016 3:00 PM
Subject: Re: REJECT and "optional text" question...
Post by Pedro David Marco
Thanks Wietse...
yes, i have a check_sender_access - after-  the check_client_access,
buti must be doing something wrong because the reject should have been
                check_client_access
hash:/etc/postfix/special_clients        
                check_sender_access
regexp:/etc/postfix/special_senders
Since those directives must be in one or more smtpd restriction lists,
which are run in a strict order, just knowing hat you have hem somewhere
in that order isn't enough information. This is why the subscription
message for this list includes the same instructions as the last section
of Postfix's DEBUG_README: provide the output of 'postconf -n' not just
fragments of main.cf.
Post by Pedro David Marco
Postfix does not complain at all about files fomat but...Wietse, is
the syntax correct? (for special_clients file)
205.201.128.108    REJECT You are blacklisted
That should work. Did you run 'postmap
hash:/etc/postfix/special_clients' after adding that line? Maps in
'hash' format must be converted from text to binary format using postmap
for Postfix to use them.
Post by Pedro David Marco
i have also tried...
205.201.128.0/24     REJECT You are blacklisted
That would be suitable in a 'cidr' table but in a 'hash' table it would
not work. To get the same effect in 'hash' format, you could use this:

205.201.128     REJECT You are blacklisted
Post by Pedro David Marco
how do i reject  from that IP with that text???
Correct your configuration :)

What *exactly* is wrong with your configuration is not obvious without
more information. My *guesses* about the most likely causes for your
problem are:

1. You need to postmap your special_clients file to create the binary
form.
2. Your check_client_access and check_sender_access directives are in
different restriction lists such that check_sender_access is being hit
first, despite being later in main.cf.
3. There's some other more complex problem which is entirely invisible
to us because we don't know enough about your configuration yet.
Pedro David Marco
2016-07-26 13:34:42 UTC
Permalink
Sorry, my fault...

From: Bill Cole <postfixlists-***@billmail.scconsult.com>
To: Postfix users <postfix-***@postfix.org>
Sent: Tuesday, July 26, 2016 3:28 PM
Subject: Re: REJECT and "optional text" question...
Post by Pedro David Marco
Thanks Bill...
  Sent: Tuesday, July 26, 2016 3:00 PM
  Subject: Re: REJECT and "optional text" question...
[remainder of quoted text removed]

I think something went wrong with your copy/paste, since there's no
restrictions config to be found in that message.
bastian+postfix-users= (Bastian Blank)
2016-07-26 18:33:32 UTC
Permalink
Post by Pedro David Marco
Thanks Bill...
these are my restrictions...
You have been asked to provide the output of "postconf -n", not random
snippets. Also please learn how to quote.

Bastian
--
The joys of love made her human and the agonies of love destroyed her.
-- Spock, "Requiem for Methuselah", stardate 5842.8
/dev/rob0
2016-07-27 00:22:02 UTC
Permalink
Post by bastian+postfix-users= (Bastian Blank)
Post by Pedro David Marco
Thanks Bill...
these are my restrictions...
You have been asked to provide the output of "postconf -n", not
random snippets. Also please learn how to quote.
Quite right. With complete information as DEBUG_README.html#mail
recommends, this would have been cleared up by now.

But I'm going to shift the focus a bit. Here was the log from the
Post by bastian+postfix-users= (Bastian Blank)
RCPT from mail108.us4.mcsv.net[205.201.128.108]: 554 5.7.1
Sender address rejected: Access denied;
to=<mpar=iblhelper.net> proto=ESMTP helo=<mail108.us4.mcsv.net>
That's Mailchimp, not just some random spammer. No, I'm not a chimp
fanboy nor an apologist for ESPs, but this is one ESP which does take
complaints seriously.

Have you [Pedreter] tried complaining to them? If the sender is
truly spamming you without a valid signup, Mailchimp are likely to
terminate the account.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Loading...