NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2005-10

Re: A Question About "check_client_access"

From: Rich Shepard (rshepardappl-ecosys.com)
Date: Thu Oct 13 2005 - 19:42:37 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 12 Oct 2005, mouss wrote:

>> check_client_access hash:/etc/postfix/internal_network
>
> make sure this one doesn't allow the cited client.

It doesn't. Here, at least, internal network is a non-public IP address in
the Class C block of 192.168. Internal network has only 192.168.55.

>> check_sender_access hash:/etc/postfix/not_our_domain_as_sender
> verify that this doesn't whitelist anyone

No, that map has only:
appl-ecosys.com 554 Do not use my domain in your envelope sender.

>> check_recipient_access hash:/etc/postfix/roleaccount_exceptions
> I guess this doesn't whitelist your email address.

No, it has only 'postmaster' and 'abuse'

>> check_recipient_access hash:/etc/postfix/recipients
> nor this

Nope. That checks users against /etc/passwd or /etc/shadow

>> check_helo_access pcre:/etc/postfix/helo_checks
> check this twice or more. check it with helo=216.99.206.23.
> If I were you, I'd just reject naked IP helo's. and since you do
> reject_non_fqdn_hostname, I see no reason to accept naked IPs in helo.

Well, I do get a positive response here:

[rootsalmo /etc/postfix]# postmap -q 216.99.206.23 pcre:/etc/postfix/helo_checks
550 Don't use my IP address.

If I correctly understand the application of helo_checks, this means that
the unknown IP address that tried to spoof my IP address would receive a
rejection with the above additional text. Is this correct?

>> check_sender_mx_access cidr:/etc/postfix/bogus_mx
> I guess this only returns REJECT (never OK)?

Yes. All are return code 550.

>> check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions
> make sure this doesn't allow the spammer.

No, it doesn't have the domain name that's in the return-path line.

>> check_sender_access hash:/etc/postfix/common_spam_senderdomains
> I guess this only returns REJECT.

This map file has four entries; the action for each is:
reject_unverified_sender

>> smtpd_restriction_classes = has_our_domain_as_sender
> when is this called (which map from the above) and how it is defined?

In Chapter 9 of the book smtpd_restriction_classes are called before
smtpd_recipient_restrictions. It is defined as:

smtpd_restriction_classes =
         has_our_domain_as_sender
has_our_domain_as_sender =
         check_sender_access hash:/etc/postfix/our_domain_as_sender
         reject

As noted above, our_domain_as_sender == appl-ecosys.com.

So, I suppose this remains a mystery and I just live with the fact that
sometimes a spam message makes it past the checks for no discernable reason.

Many thanks,

Rich
--
Dr. Richard B. Shepard, President | Author of "Quantifying Environmental
Applied Ecosystem Services, Inc. (TM) | Impact Assessments Using Fuzzy Logic"
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]