DevHeads.net

exclude specific external IP from postfix blacklists

I have a problem with specific IP 91.218.208.22. People from network behind
this address can't connect to mailserver, because - as I found out - this
ip address is listed. Not exactly this specific address but whole C class.
I saw Postfix uses blacklists in own configuration but I would like to
exclude only this one IP.

Comments

Re: exclude specific external IP from postfix blacklists

By Wietse Venema at 06/11/2018 - 06:53

Poliman - Serwis:
There are many ways to do this. Here is one:

...
reject_unauth_destination
check_client_access inline:{91.218.208.22=ok, 1.2.3.4=OK}
reject_rbl_client foo.bar.org
...

Wietse

Re: exclude specific external IP from postfix blacklists

By Poliman - Serwis at 06/11/2018 - 09:17

@Matus
Listed on lists related with Postfix, from my main.cf:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
mysql-virtual_policy_greylist.cf

@Wietse
Currently I have in main.cf:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf

Should this line be modified as:
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok }
mysql:/etc/postfix/mysql-virtual_client.cf
OR
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf, inline:{91.218.208.22=ok }

Btw I am curious - is it possible to turn off ip verification only for
clients?

2018-06-11 12:53 GMT+02:00 Wietse Venema < ... at porcupine dot org>:

Re: exclude specific external IP from postfix blacklists

By Matus UHLAR - f... at 06/11/2018 - 10:24

On 11.06.18 15:17, Poliman - Serwis wrote:
- I recommend putting reject_rbl_client zen.spamhaus.org at the end of rules

- put check_client_access in front of reject_rbl_client, one that will allow
IP 91.218.208.22

it's not possible to use two parameters for check_client_access
- there must be two different check_client_access rules.

But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions

for what clients? for your customers?
and which kind of IP verification?

Re: exclude specific external IP from postfix blacklists

By Poliman - Serwis at 06/12/2018 - 01:32

Thank you for answer. If in main.cf must be two different
check_client_access rules, so I should do:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
virtual_client.cf
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok}
or maybe
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
virtual_client.cf, check_client_access inline:{91.218.208.22=ok}

Am I right?

Hmm, if above won't help, how to configure smtpd_recipient_restrictions to
unblock this specific ip 91.218.208.22 ?

2018-06-11 16:24 GMT+02:00 Matus UHLAR - fantomas < ... at fantomas dot sk>:

Re: exclude specific external IP from postfix blacklists

By Matus UHLAR - f... at 06/12/2018 - 02:54

On 12.06.18 07:32, Poliman - Serwis wrote:
Neither one. as I said before:

"But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions"

That means, you don't have to play with smtpd_client_restrictions.

If you want to configure smtpd_recipient_restrictions (un)block an IP, you
must put proper "check_client_access" to smtpd_recipient_restrictions,
in front of the rule that blocks that IP.

I'll keep the rest below undeleted because it still applies.

I just add that I prefer using hash or cidr tables for these cases instead
of inline access lists - it's easier to ad whitelisted IPs to those tables.

Re: exclude specific external IP from postfix blacklists

By Poliman - Serwis at 06/12/2018 - 03:10

Thank you for answer. I have in main.cf:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
mysql-virtual_policy_greylist.cf

so, if I understood well, I have to modify above like below:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

am I right?

Currently I am not advanced Postfix user, so I am afraid I wouldn't
configure properly the cidr tables.

2018-06-12 8:54 GMT+02:00 Matus UHLAR - fantomas < ... at fantomas dot sk>:

Re: exclude specific external IP from postfix blacklists

By Matus UHLAR - f... at 06/13/2018 - 06:01

On 12.06.18 09:10, Poliman - Serwis wrote:
yes, this should do what you want.
I'll just repeat:

- I'd use hash instead of inline

- I'd move reject_rbl_client zen.spamhaus.org at the end, and newly
added check_client_access just in front of it,
so rules in /etc/postfix/mysql-virtual_recipient.cf and
/etc/postfix/mysql-virtual_policy_greylist.cf
will be evaulated before zen.spamhaus.org is used, and they will be
evaluated even for client 91.218.208.22, which may be desired.

- you may want to evaluate those mysql rules even for sasl authenticated
clients abd clients from $mynetworks

Re: exclude specific external IP from postfix blacklists

By Poliman - Serwis at 06/13/2018 - 07:31

Thank you, I will check it. Yesterday night I did:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

and it worked like I want. Of course thank to your advices.

2018-06-13 12:01 GMT+02:00 Matus UHLAR - fantomas < ... at fantomas dot sk>:

Re: exclude specific external IP from postfix blacklists

By Wietse Venema at 06/13/2018 - 10:41

Poliman - Serwis:
As in my original reply:

You MUST have the check_client_access inline:{91.218.208.22=ok} AFTER
the reject_unauth_destination, otherwise they can relay mail through
your server to arbitrary destinations.

Wietse

Re: exclude specific external IP from postfix blacklists

By Poliman - Serwis at 06/14/2018 - 07:38

Thank you. I fixed this. I didn't suppose that you put earlier order, which
must be used.

2018-06-13 16:41 GMT+02:00 Wietse Venema < ... at porcupine dot org>:

Re: exclude specific external IP from postfix blacklists

By Matus UHLAR - f... at 06/11/2018 - 06:52

On 11.06.18 11:31, Poliman - Serwis wrote:
listed where?

find the rule blocking 91.218.208.22 and insert another one allowing this IP
in front of the rule.