NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-11

Re: mynetworks=<empty> vs mynetworks=<default> (via mynetworks_style)

From: Alain Spineux (aspineuxgmail.com)
Date: Thu Nov 29 2007 - 16:30:10 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 29, 2007 9:44 PM, Wietse Venema <wietseporcupine.org> wrote:
> Alain Spineux:
>
> > On Nov 29, 2007 8:09 PM, Wietse Venema <wietseporcupine.org> wrote:
> > > Alain Spineux:
> > > > Hi
> > > >
> > > > I want to have mynetworks=<empty>
> > > > I mean no host taking advantage of the "mynetworks" advantage,
> > > > including 127.0.0.1 !
> > > >
> > > > If a set "mynetworks="
> > > > then, postfix use the default from mynetworks_style!
> > >
> > > No it doesn't.
> >
> > How can I not trust you!
> > Then my problem is somewhere else,
> > and goes away if a set mynetworks to 0.0.0.0 !
> >
> > I have
> >
> > smtpd_sender_restrictions =
> > permit_mynetworks,
> > # permit_sasl_authenticated,
> > # this policy verify sender=username and more
> > check_policy_service unix:private/egpolicy,
> > reject_non_fqdn_sender,
> > reject_unknown_sender_domain,
> > permit
> >
> > and
> >
> > 465 inet n - n - - smtpd
> > -o smtpd_tls_wrappermode=yes
> > -o smtpd_sasl_auth_enable=yes
> > -o mynetworks=0.0.0.0
> >
> > and force my webmail to login on port 465,
> > then my egpolicy is check when sending email.
> >
> > If I set
> > -o mynetworks=
> > or remove this line (with mynetworks=127.0.0.0/8 in main.cf)
> > then my egpolicy is not checked
> >
>
> Does not happen here.
>
> With no mynetworks line in main.cf:
>
> % telnet bristle smtp
> Trying 9.2.16.248...
> Connected to bristle.example.com.
> Escape character is '^]'.
> 220 bristle.example.com ESMTP Postfix
> mail from:<wietse>
> 250 2.1.0 Ok
> rcpt to:<wietseexample.com>
> 250 2.1.5 Ok
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> With "-o mynetworks=" on the smtpd command line in master.cf:
>
> % telnet bristle smtp
> Trying 9.2.16.248...
> Connected to bristle.example.com.
> Escape character is '^]'.
> 220 bristle.example.com ESMTP Postfix
> mail from:<wietse>
> 250 2.1.0 Ok
> rcpt to:<wietseexample.com>
> 554 5.7.1 <wietseexample.com>: Relay access denied
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> This is with "smtpd_recipient_restrictions = permit_mynetworks,
> reject_unauth_destination".
>
> I suspect that your master.cf configuration is more complex
> than you're aware of.

No I dont thinks so. Anyway I wrote it below.

I your test you are not using 127.0.0.1 and not TLS !

I dont know if it matter:

My hostname is linked to 127.0.0.1 in /etc/hosts

# grep `hostname` /etc/hosts
127.0.0.1 eg01.emailgency.loc eg01 localhost.localdomain
localhost lh

I run kolab's postfix 2.4.3-20070601

Thanks for your time.

Here it is main.cf and further the postfix.log of both connection,
with and withou mynetworks=0

# (c) 2004 Steffen Hansen <steffenklaralvdalens-datakonsult.se>
(Klaralvdalens Datakonsult AB)
# (c) 2003 Tassilo Erlewein <tassilo.erleweinerfrakon.de>
# (c) 2003 Martin Konold <martin.konolderfrakon.de>
# (c) 2003 Achim Frank <achim.frankerfrakon.de>
# This program is Free Software under the GNU General Public License (>=v2).
# Read the file COPYING that comes with this packages for details.

# this file is automatically written by the Kolab config backend
# manual additions are lost unless made to the template in the Kolab
config directory

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
discard unix - - n - 0 discard
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o fallback_relay=
humble_rewrite unix - - n - -
trivial-rewrite -o transport_maps=
relay_rewrite unix - - n - -
trivial-rewrite -o
transport_maps=hash:/kolab/etc/postfix_front/transport
#relay unix - - n - - smtp -o
rewrite_service_name=relay_rewrite
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
#virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#cyrus unix - n n - - pipe
user=cyrus argv=/kolab/bin/cyrdeliver -e -r ${sender} -m ${extension}
${user}
#uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=/kolab/bin/uux -r -n -z -a$sender -
$nexthop!rmail ($recipient)
#ifmail unix - n n - - pipe flags=F
user=ftn argv=/kolab/bin/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe flags=Fq.
user=foo argv=/kolab/bin/bsmtp -f $sender $nexthop $recipient
# ASX this is smtps port, I want to force authentication, including for webmail
# then mynetworks=0.0.0.0 , because mynetworks= means =default
465 inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o mynetworks=0.0.0.0
post-cleanup unix n - n - 0 cleanup -o virtual_maps=

kolabpolicy unix - n n - - spawn
user=kolab-n argv=/kolab/etc/kolab/kolab_smtpdpolicy

egpolicy unix - n n - - spawn
user=kolab-n argv=/kolab/lib/emailgency/egsmtpdpolicy.py -d -c
/kolab/etc/emailgency

smtpdup unix - - n - 10 smtp
        -o smtp_send_xforward_command=yes
        -o disable_mime_output_conversion=yes
        -o smtp_generic_maps=
        -o smtp_connection_cache_on_demand=no

#127.0.0.1:10035 inet n n n - -
spawn user=nobody argv=/kolab/bin/python
/s0/asx/src/emailgency/trunk/smtpdup.py

#normaly only relayed domain will reach this port 10036
127.0.0.1:10036 inet n - n - 10 smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

============ without mynetworks=0.0.0.0

Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18273]:
connect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18273]:
setting up TLS connection from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18273]:
TLS connection established from eg01.emailgency.loc[127.0.0.1]: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18273]:
8342B136854: client=eg01.emailgency.loc[127.0.0.1], sasl_method=PLAIN,
sasl_username=alain.spineuxmydomain.loc
Nov 29 22:55:22 eg01.emailgency.loc <info>
postfix_front/cleanup[18277]: 8342B136854:
message-id=<45350.127.0.0.1.1196373322.squirrellocalhost>
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/qmgr[18270]:
8342B136854: from=<alain.spineuxmydomain.loc>, size=1145, nrcpt=1
(queue active)
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18273]:
disconnect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18279]:
connect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:22 eg01.emailgency.loc <info> postfix_front/smtpd[18279]:
AD093136856: client=eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:23 eg01.emailgency.loc <info>
postfix_front/cleanup[18277]: AD093136856:
message-id=<45350.127.0.0.1.1196373322.squirrellocalhost>
Nov 29 22:55:23 eg01.emailgency.loc <info> postfix_front/smtp[18278]:
8342B136854: to=<alain.spineuxmydomain.loc>,
relay=127.0.0.1[127.0.0.1]:10035, delay=0.57,
delays=0.06/0.02/0.07/0.41, dsn=2.0.0, status=se
nt (250 Ok)
Nov 29 22:55:23 eg01.emailgency.loc <info> postfix_front/smtpd[18279]:
disconnect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:55:23 eg01.emailgency.loc <info> postfix_front/qmgr[18270]:
AD093136856: from=<alain.spineuxmydomain.loc>, size=1508, nrcpt=1
(queue active)
Nov 29 22:55:23 eg01.emailgency.loc <info> postfix_front/qmgr[18270]:
8342B136854: removed
Nov 29 22:55:33 eg01.emailgency.loc <info> postfix_front/smtp[18285]:
AD093136856: to=<alain.spineuxmydomain.loc>,
relay=fc6-pmx.asxnet.loc[192.168.23.17]:25, delay=11,
delays=0.41/0.02/10/0.12, dsn=2.0.0, sta
tus=sent (250 2.0.0 Ok: queued as BB0DB93EEF)
Nov 29 22:55:33 eg01.emailgency.loc <info> postfix_front/qmgr[18270]:
AD093136856: removed

============ with mynetworks=0.0.0.0

Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17794]:
connect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17794]:
setting up TLS connection from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17794]:
TLS connection established from eg01.emailgency.loc[127.0.0.1]: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17794]:
BBD53136855: client=eg01.emailgency.loc[127.0.0.1], sasl_method=PLAIN,
sasl_username=alain.spineuxmydomain.loc
Nov 29 22:52:48 eg01.emailgency.loc <info>
postfix_front/cleanup[17798]: BBD53136855:
message-id=<45312.127.0.0.1.1196373168.squirrellocalhost>
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/qmgr[4688]:
BBD53136855: from=<alain.spineuxmydomain.loc>, size=1029, nrcpt=1
(queue active)
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17794]:
disconnect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17800]:
connect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:48 eg01.emailgency.loc <info> postfix_front/smtpd[17800]:
E4043136857: client=eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:49 eg01.emailgency.loc <info>
postfix_front/cleanup[17798]: E4043136857:
message-id=<45312.127.0.0.1.1196373168.squirrellocalhost>
Nov 29 22:52:49 eg01.emailgency.loc <info> postfix_front/qmgr[4688]:
E4043136857: from=<alain.spineuxmydomain.loc>, size=1389, nrcpt=1
(queue active)
Nov 29 22:52:49 eg01.emailgency.loc <info> postfix_front/smtp[17799]:
BBD53136855: to=<alain.spineuxgamma.loc>,
relay=127.0.0.1[127.0.0.1]:10035, delay=0.64,
delays=0.19/0.01/0.07/0.36, dsn=2.0.0, status=sent
(250 Ok)
Nov 29 22:52:49 eg01.emailgency.loc <info> postfix_front/qmgr[4688]:
BBD53136855: removed
Nov 29 22:52:49 eg01.emailgency.loc <info> postfix_front/smtpd[17800]:
disconnect from eg01.emailgency.loc[127.0.0.1]
Nov 29 22:52:59 eg01.emailgency.loc <info> postfix_front/smtp[17806]:
E4043136857: to=<alain.spineuxgamma.loc>,
relay=pmx.emailgency.loc[192.168.23.17]:25, delay=11,
delays=0.34/0.02/10/0.11, dsn=2.0.0, status
=sent (250 2.0.0 Ok: queued as F2E0E93EEF)
Nov 29 22:52:59 eg01.emailgency.loc <info> postfix_front/qmgr[4688]:
E4043136857: removed

29 Nov 2007 22:52:48 INFO egsmtpdpolicy [17797] --------- starting ---------
29 Nov 2007 22:52:48 DEBUG egsmtpdpolicy [17797] ok user
alain.spineuxmydomain.loc allowed to send on behalf of
alain.spineuxmydomain.loc.

--
Alain Spineux
aspineux gmail com
May the sources be with you

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]