OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: ignoring client restrictions for smtps

From: Dan Langille (danlangille.org)
Date: Sun Sep 28 2008 - 15:26:46 CDT


On Sep 28, 2008, at 2:39 PM, Wietse Venema wrote:

> Dan Langille:
>> Today I discovered that my mail server is rejecting smtps connections
>> based upon RBL.
>>
>> Example:
>>
>> Sep 28 17:44:40 nyi postfix/smtpd[20073]: NOQUEUE: reject: CONNECT
>> from pool-151-197-20-211.phil.east.verizon.net[151.197.20.211]: 554
>> 5.7.1 Service unavailable; Client host [151.197.20.211] blocked using
>> dnsbl.njabl.org; 1045929907; proto=SMTP
>>
>> I'd rather not restrict smtps connection. Either they authenticate
>> or
>> they do not. That is enough for me.
>
> Assuming that other sanity checks still apply for smtps clients...
>
>> My smtps service is defined through this (slightly altered) master.cf
>> entry:
>>
>> 10.11.12.13:smtps inet n - n - - smtpd
>> -o smtpd_sasl_auth_enable=yes
>> -o
>> smtpd_recipient_restrictions
>> =permit_sasl_authenticated,reject_unauth_destination
>> -o smtpd_sasl_type=dovecot
>> -o smtpd_sasl_path=private/auth
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_tls_wrappermode=yes
>> -o smtpd_tls_cert_file=/usr/local/etc/postfix-config/CERTS/
>> nyi.example.org.cert
>> -o smtpd_tls_key_file=/usr/local/etc/postfix-config/CERTS/
>> nyi.example.org.nopassword.key
>>
>> In main.cf, I find these references to njabl.org. I would prefer to
>> keep these smtp restrictions in place.
>
>> maps_rbl_domains = dnsbl.njabl.org
>>
>> smtpd_client_restrictions = sleep 1, reject_unauth_pipelining, hash:/
>> usr/local/etc/postfix-config/main/access,
>> reject_rbl_client dnsbl.njabl.org,
>> permit_mynetworks
>
> Add to main.cf:
>
> smtps_client_restrictions = sleep 1, reject_unauth_pipelining
> hash:/usr/local/etc/postfix-config/main/access
>
> i.e. all but the ``reject_rbl_client dnsbl.njabl.org''.
>
> In master.cf, add to the smtps entry:
>
> -o smtpd_client_restrictions=$smtps_client_restrictions
>
> Ditto for smtpd_helo_restrictions and smtpd_sender_restrictions
> or anything that references dnsbl.njabl.org.
>
> This workaround is needed because there can't be spaces in master.cf
> -o options. You can use commas instead of spaces, but that just
> makes things uglier.

This works. Nice solution. Thank you. :)

--
Dan Langille
http://langille.org/