NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re: access table and unverified hostnames

From: Wietse Venema (wietseporcupine.org)
Date: Tue Feb 12 2008 - 07:14:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cedric Knight, GreenNet:
[ Charset ISO-8859-1 unsupported, converting... ]
> Noel Jones <njonesmegan.vbhcs.org> wrote:
> > Cedric Knight, GreenNet wrote:
> [...]
> > > Is there some way to look up the "reverse_name" in a table,
> instead
> > > of limiting it to verified hostnames?
>
> >
> > Postfix doesn't have a "check_reverse_client_access" lookup
> > because unverified hostnames can't be used safely for
> > whitelisting.
> >
> > You can use (or write) a policy server that rejects clients
> > based on the reverse hostname. I believe "policyd" has this
> > ability, along with many others.
> > http://www.postfix.org/SMTPD_POLICY_README.html
> > http://www.postfix.org/addon.html#policy
> > http://policyd.sourceforge.net/
> >
> > Or you can patch the source code to add a new lookup type;
> > this particular mod looks fairly easy.
>
> Thanks. That makes my options clear. In fact, one of the purposes of
> doing this was preventing some connections getting as far as the
> policy stage (in this case gps greylisting) and avoiding relatively
> CPU-intensive database lookups. Maybe I'll request it as a feature,
> but in the meantime I may have to break the banned hostnames down into
> IP/24 blocks.

Someone might want to try cloning 5 lines in src/smtpd/smtpd_check.c:

        } else if (is_map_command(state, name, CHECK_CLIENT_ACL, &cpp)) {
            status = check_namadr_access(state, *cpp, state->name, state->addr,
                                         FULL, &found, state->namaddr,
                                         SMTPD_NAME_CLIENT, def_acl);

With suitable replacements for state->name, CHECK_CLIENT_ACL, and
SMTPD_NAME_CLIENT. Perhaps they could also do a similar cloning
operation in proto/postconf.5.html and proto/SMTPD_ACCESS_README.

CHECK_CLIENT_ACL appears as part of a warning message; this would
need updating too.

[rationale: doing access map lookups on the reverse client name is
no worse than doing access map lookups on the HELO argument]

Wietse

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]