OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Blocking with smtpd_client_restrictions

From: Jon (jon_kiotk.net)
Date: Tue Jun 23 2009 - 16:35:00 CDT

Sahil Tandon wrote:
>
> Show all 'postconf -n' instead of snippets for more thorough debugging.
>

Sorry, figured the shorthand would give enough detail without being too
wordy. Here's the rest:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
mydestination = smtp1.myDomainOne myDomainOne myDomainTwo
myhostname = smtp1.myDomainOne
mynetworks = 127.0.0.0/8 x.x.x.x x.x.x.x x.x.x.x
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = myDomainOne, myDomainTwo
relay_recipient_maps = hash:/etc/postfix/exchange_recipients
relayhost =
show_user_unknown_table_name = no
smtpd_banner = $myhostname Microsoft ESMTP MAIL Service, Version:
6.0.3790.1830 ready
smtpd_client_restrictions =
  check_client_access hash:/etc/postfix/access_hash,
  check_client_access regexp:/etc/postfix/access_regexp,
  reject_unknown_reverse_client_hostname,
  reject_unknown_client_hostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  check_helo_access hash:/etc/postfix/access_hash,
  reject_non_fqdn_helo_hostname,
  reject_invalid_helo_hostname
smtpd_sender_restrictions =
  check_sender_access hash:/etc/postfix/access_hash,
  reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550

>> smtp1:/etc/postfix# cat access_hash
>> .it REJECT 554 Access denied
>>
>> smtp1:/etc/postfix# cat access_regexp
>> /gaoland\.net/
>>
>>
>> My questions:
>> 1) Are two check_client_access statements as I have in
>> smtp_client_restrictions legal?
>
> Yes.
>
>> and
>>
>> 2) If yes to 1, assuming I've grepped the mail.log correctly, should
>> this have gotten past the .it block in the access_hash check? If not,
>> what might be changed to block .it?
>
> You're trying to block an entire TLD. See the access(5) manual,
> especially the section on lookups from indexed files. You might want to
> try "it" as a lookup key instead of ".it", given the likely inclusion of
> smtpd_access_maps in your configuration's parent_domain_matches_subdomains.
>

OK, read http://www.postfix.org/access.5.html
Am I correct at interpreting this to mean I need to put the desired
".tld" in, for example, my "access_regexp" as a regular expression
because ".tld" is too short and won't match via an "access_hash" whereas
".domain.tld" being longer, would?