Home / server / Questions / 833499
Accepted
comfreak
Asked: 2017-02-20 06:24:32 +0800 CST

Effects of restrictions in Postfix

  • 772

My question is similar to this one, but I am running a newer version of Postfix and the answers there didn't really answer my question.

I am running a Debian Jessie server with Postfix 2.11.

So far I understood that Postfix has these checks:

  • smtpd_client_restrictions
  • smtpd_helo_restrictions
  • smtpd_sender_restrictions
  • smtpd_relay_restrictions
  • smtpd_recipient_restrictions

From what I read, Postfix will process them in the mentioned order.

  1. Now my question is, what happens when an entry in any restriction matches to OK? Does it mean that Postfix will skip the remaining checks from that specific *_restriction or will it skip all *_restrictions all together?

  2. Are there any other results that can occur apart from OK and REJECT or what are proper values for these checks?

  3. What are the other _restrictions used for, if most tutorials only mention smtpd_client_restrictions or smtpd_recipient_restrictions?

What I want to achieve is this:

  • Block MTA clients that are known for sending spam (e.g. dynamic IPs or other clients listed in blacklists) and/or are not compliant with the RFC (e.g. non-FQDN address etc.).
  • At the same time allow certain clients to bypass this based on a whitelist
  • Only allow SASL-authenticated clients to relay mail to other servers and not every whitelisted domain
  • Block clients that are impersonating other servers (meaning SPF), including those previously whitelisted (in other words, let whitelisted servers only deliver their mail)
  • Add a delay to new servers to further enhance spam protection (Postgrey). This already works quite well and I also created the necessary whitelists for it.

Now, if you answer question 1 either way, putting all checks into one of the *_restrictions mentioned above, will most likely not do the trick, since a whitelist would override the SPF check for example.

Therefore, my configuration looks something like this:

# basic configuration (myorigin, mydomain, etc.)

smtpd_helo_required = yes

smtpd_client_restrictions = check_client_access hash:/etc/postfix/blackwhitelists/whitelisted_client_addresses, 
    check_reverse_client_hostname_access hash:/etc/postfix/blackwhitelists/blacklisted_reverse_hostnames, 
    reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
    reject_rbl_client dnsbl.sorbs.net, reject_unknown_client

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,
    reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
    reject_unknown_helo_hostname, reject_unauth_pipelining

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
    check_sender_access hash:/etc/postfix/blackwhitelists/blacklisted_sender_addresses

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
    reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
    reject_unauth_destination, reject_unauth_pipelining, 
    check_sender_access hash:/etc/postfix/blackwhitelists/whitelisted_sender_addresses, reject_non_fqdn_sender,
    reject_unknown_sender_domain, check_policy_service unix:private/policyd-spf, 
    check_policy_service unix:/var/spool/postfix/postgrey/socket

smtpd_etrn_restrictions = permit_sasl_authenticated, permit_mynetworks, reject

# more basic configuration

As you can see, many options repeat themselves right now, because I am not sure, if I need them in other restrictions too. All in all, I would consider it quite a mess too.

I am also running SpamAssassin for the mail that passes all of these checks.

email smtp postfix

1 Answers

  1. Best Answer

    These _restrictions apply to information available during particular phase of SMTP dialogue, that is:

    • smtpd_client_restrictions are applied to initial connection (IP/FQDN)
    • smtpd_helo_restrictions are applied to client HELO/EHLO command
    • smtpd_sender_restrictions are applied to MAIL FROM command
    • smtpd_recipient_restrictions are applied to RCPT TO command

    smtpd_relay_restrictions control relaying to third-party domains.

    All items within each of these restrictions are evaluated in order they are given, and if any item matches processing of this restriction sequence stops and a specified action is taken. Entire list of possible actions is available is access(5) man page.

    If action is ACCEPT or any of its synonyms evaluation proceeds to the next stage's set of rules. If action is REJECT (or its brothers) an error is returned to the sender and no further processing is done.

    Your ruleset looks good, but it is way too restrictive and prone to errors - e.g. sender's DNS server down and no mail would be accepted from them, HELO/EHLO restrictions will ban poorly configured Exchange servers and some other esoteric mailers out there, etc.

    From my experience I'd recommend setting it to bare minimum instead and replace all RBLs, HELO checks and reverse checks with scoring policy-service daemon, e.g. postfwd2. There you can fine-tune your policy applied to all these small things and take different actions based on a complex of parameters and not a single hit.

    • 3