Postfix Whitelist-Problem


Thilo B

New Member
Hallo zusammen,

vorweg: Ich habe das Forum durchstöbert und nichts gefunden, was mir geholfen hat, deswegen hier meine erst einmal seltsam klingende Frage:

Wie setze ich einen weiteren Server auf eine Whitelist?

Ich habe erfogreich einen Server auf eine Whitelist gesetzt, nun soll ein weiterer dazu. Meine Änderungen bleiben jedoch ohne Wirkung. Folgendes habe ich gemacht:
In der main.cf die Whitelist eingetragen:
Code:
smtpd_recipent_restrictions =
	...
	check_client_access hash:/etc/postfix/smtpd_client_access
	...
Die so aussieht:
Code:
12.34.56.78 OK
87.65.43.21 OK
Anschließend die üblichen Befehle:
Code:
postmap /etc/postfix/smtpd_client_access
/etc/init.d/postfix reload
12.34.56.78 wird und wurde durchgelassen. Aber nicht 87.65.43.21.
Immer noch kommt in der mail.log:
Code:
Dec 14 15:53:32 meinserver postfix/smtpd[8437]: connect from dem.externen-server.host[87.65.43.21]
Dec 14 15:53:32 meinserver postfix/smtpd[8437]: NOQUEUE: reject: RCPT from dem.externen.host[87.65.43.21]: 450 4.7.1 <bla.domain.intern>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<bla.domain.intern>
Dec 14 15:53:32 meinserver postfix/smtpd[8437]: disconnect from dem.externen-server.host[87.65.43.21]
Daß ich mich eigentlich nicht darum scheren müßte, daß andere HELO-Namen und (Reverse-)DNS nicht richtig machen, ist klar, aber trotzdem sollte das doch klappen?

Besten Dank schonmal!
Thilo
 
Die Reihenfolge der Anweisungen in smtpd_recipent_restrictions spielt eine entscheidende Rolle. Du hast deine Whitelist vermutlich einfach zu weit hinten eingetragen.
 
Hi,

anscheinend wird in Deinen Restrictions erst auf den Helo geprüft, und dann kommt das Whitelisting. Poste doch mal Deine ganzen recipient_restrictions.

Grüsse
Basti
 
Die sieht so aus:
Code:
smtpd_recipient_restrictions = 
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_client_access hash:/etc/postfix/smtpd_client_access
    reject_invalid_helo_hostname
    check_policy_service inet:127.0.0.1:60000
    check_policy_service inet:127.0.0.1:12525
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

Und hier die ganze main.cf (ohne TLS-Settings etc):
Code:
# Postfix programs paths settings
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
sendmail_path = /usr/sbin/sendmail

## General Postfix configuration
# should be the default domain from your provider eg. "server100.provider.tld"
mydomain = meinserver.meinedomain.xx

# should be different from $mydomain eg. "mail.$mydomain"
myhostname = meinserver.meinedomain.xx

mydestination = $myhostname,
	$mydomain,
	localhost.$myhostname,
	localhost.$mydomain,
	localhost
mynetworks = 127.0.0.0/8, 11.22.33.44   #<-IP des Mailservers
inet_interfaces = all
append_dot_mydomain = no
biff = no

# Postfix performance settings
default_destination_concurrency_limit = 20
local_destination_concurrency_limit = 2

# SMTPD Settings
#pwcheck_method = saslauthd
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
	permit_tls_clientcerts
	reject_invalid_hostname
	warn_if_reject reject_non_fqdn_hostname
	reject_unauth_pipelining

smtpd_recipient_restrictions = 
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_client_access hash:/etc/postfix/smtpd_client_access
    reject_invalid_helo_hostname
    check_policy_service inet:127.0.0.1:60000
    check_policy_service inet:127.0.0.1:12525
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

smtpd_sender_restrictions = permit_mynetworks,
	permit_sasl_authenticated,
	reject_unknown_hostname,
	reject_unknown_recipient_domain,
	reject_unknown_sender_domain

smtpd_client_restrictions = permit_mynetworks,
	permit_sasl_authenticated,
	reject_unknown_client


maps_rbl_domains = relays.ordb.org
smtp_client_restrictions = reject_maps_rbl, reject_unauth_destination, reject_unauth_pipelining
smtp_sender_restrictions = reject_maps_rbl, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_non_fqdn_hostname

Besten Dank!
Thilo
 
Code:
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    etc...

dürfen erst nach

Code:
check_client_access hash:/etc/postfix/smtpd_client_access

kommen, da sonst schon vor der Whitelist abgewiesen wird. Postfix arbeitet das der Reihe nach ab, sobald einer einen Treffer liefert fliegt die Mail raus.

Grüsse
 
Habe das jetzt wie folgt geändert:
Code:
smtpd_recipient_restrictions = 
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_client_access hash:/etc/postfix/smtpd_client_access
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    reject_invalid_helo_hostname
    check_policy_service inet:127.0.0.1:60000
    check_policy_service inet:127.0.0.1:12525
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
und immer noch heißt es
Code:
Helo command rejected: Host not found

Ich habe auch die smtpd_helo_restrictions mal nach unten gestellt, ebenfalls ohne Erfolg...

Was kann das denn noch sein? :confused:

Danke Euch
Thilo
 
Poste doch mal bitte die Ausgabe von "postconf -n", dann sehen wir alle geänderten Einstellungen.

Grüsse
 
here you go: postconf -n
Code:
alias_database = hash:/etc/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 20
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
inet_interfaces = all
local_destination_concurrency_limit = 2
local_transport = local
mailbox_size_limit = 0
maps_rbl_domains = relays.ordb.org
message_size_limit = 52428800
mydestination = $myhostname,    $mydomain,      localhost.$myhostname,  localhost.$mydomain,    localhost
mydomain = meinserver.meinedomain.xx
myhostname = meinserver.meinedomain.xx
mynetworks = 127.0.0.0/8, 11.22.33.44
sendmail_path = /usr/sbin/sendmail
smtp_tls_CAfile = /etc/ssl/certs/CAcert_chain.pem
smtp_tls_cert_file = /etc/ssl/certs/server.crt
smtp_tls_key_file = /etc/ssl/private/private.key
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks,  permit_sasl_authenticated,      reject_unknown_client
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks     permit_tls_clientcerts  reject_invalid_hostname warn_if_reject reject_non_fqdn_hostname reject_unauth_pipeli ning
smtpd_recipient_restrictions = permit_mynetworks    permit_sasl_authenticated    reject_unauth_destination    check_client_access hash:/etc/postfix/smtpd_cl ient_access    reject_non_fqdn_recipient    reject_non_fqdn_sender    reject_unknown_sender_domain    reject_invalid_helo_hostname    check_policy_service i net:127.0.0.1:60000    check_policy_service inet:127.0.0.1:12525    reject_rbl_client opm.blitzed.org,    reject_rbl_client sbl.spamhaus.org,    reject_rbl_ client cbl.abuseat.org,    reject_rbl_client dul.dnsbl.sorbs.net,    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,  permit_sasl_authenticated,      reject_unknown_hostname,        reject_unknown_recipient_domain,        reje ct_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/private.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/customers/mail/
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = maildrop
virtual_uid_maps = static:2000
 
Deine smtpd_helo_restrictions sind das Problem. Es ist übrigens nicht sonderlich sinnvoll, die gleich Restriktion in verschiedenen Stufen der Mailzustellung zu prüfen.
 
Ich raffs nicht. Ich habe alles, was mit helo zu tun hat, auskommentiert, und trotzdem:
Code:
Helo command rejected: Host not found

Die betreffenden Stellen der main.cf sehen nun so aus:
Code:
smtpd_recipient_restrictions = 
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_client_access hash:/etc/postfix/smtpd_client_access
    reject_non_fqdn_recipient
    reject_non_fqdn_sender
    reject_unknown_sender_domain
    #reject_invalid_helo_hostname
    check_policy_service inet:127.0.0.1:60000
    check_policy_service inet:127.0.0.1:12525
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}

#smtpd_helo_required = yes
#smtpd_helo_restrictions = permit_mynetworks
	#permit_tls_clientcerts
	#reject_invalid_hostname
	#warn_if_reject reject_non_fqdn_hostname
	#reject_unauth_pipelining

Und nochmal postconf -n:
Code:
alias_database = hash:/etc/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 20
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
inet_interfaces = all
local_destination_concurrency_limit = 2
local_transport = local
mailbox_size_limit = 0
maps_rbl_domains = relays.ordb.org
message_size_limit = 52428800
mydestination = $myhostname,    $mydomain,      localhost.$myhostname,  localhost.$mydomain,    localhost
mydomain = meinserver.meinedomain.xx
myhostname = meinserver.meinedomain.xx
mynetworks = 127.0.0.0/8, 11.22.33.44
sendmail_path = /usr/sbin/sendmail
smtp_tls_CAfile = /etc/ssl/certs/CAcert_chain.pem
smtp_tls_cert_file = /etc/ssl/certs/server.crt
smtp_tls_key_file = /etc/ssl/private/private.key
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks,  permit_sasl_authenticated,      reject_unknown_client
smtpd_recipient_restrictions = permit_mynetworks    permit_sasl_authenticated    reject_unauth_destination    check_client_access hash:/etc/postfix/smtpd_client_access    reject_non_fqdn_recipient    reject_non_fqdn_sender    reject_unknown_sender_domain    check_policy_service inet:127.0.0.1:60000    check_policy_service inet:127.0.0.1:12525    reject_rbl_client opm.blitzed.org,    reject_rbl_client sbl.spamhaus.org,    reject_rbl_client cbl.abuseat.org,    reject_rbl_client dul.dnsbl.sorbs.net,    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,  permit_sasl_authenticated,      reject_unknown_hostname,        reject_unknown_recipient_domain,      reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/private.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/customers/mail/
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = maildrop
virtual_uid_maps = static:2000
 

Back
Top