1 Topic by mac

  • mac
  • Member
  • Offline
  • Registered: 2014-10-28
  • Posts: 15

Topic: Whitelist being ignored?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: CentOS 6.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP (Active Directory)
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes, v2.7.0 (LDAP)
- Related log if you're reporting an issue:
====

I have several examples of this... basically, my whitelist rules seem to be being ignored.  I have whitelisted (for example) @dorriseaton.com as a Whitelisted sender, but e-mail from their server is still being rejected:

Mar 21 16:50:26 mail postfix/smtpd[16799]: NOQUEUE: reject: RCPT from 50-242-80-129-static.hfc.comcastbusiness.net[50.242.80.129]: 450 4.7.1 <DESHUBCAS.dorriseaton.com>: Helo command rejected: Host not found; from=<hcapone@dorriseaton.com> to=<sharon@XXXXXXXXXXXX.com> proto=ESMTP helo=<DESHUBCAS.dorriseaton.com>

I understand the meaning of the Helo command rejected / Host not found, but my understanding is that the whitelist should override Postfix SMTP checks.

This worked correctly before we upgraded iRedAdmin Pro. 

Any thoughts?

Thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Whitelist being ignored?

mac wrote:

Helo command rejected: Host not found; ... helo=<DESHUBCAS.dorriseaton.com>

This error means the HELO hostname "DESHUBCAS.dorriseaton.com" is not resolvable by DNS query.

This is controlled by Postfix restriction rule "reject_unknown_helo_hostname":
http://www.postfix.org/postconf.5.html# … o_hostname

The best solution is asking the sysadmin of this sender server to add A type DNS record for this hostname (DESHUBCAS.dorriseaton.com). Problem solved. Otherwise it will be blocked by other mail servers too.

3 Reply by mac

  • mac
  • Member
  • Offline
  • Registered: 2014-10-28
  • Posts: 15

Re: Whitelist being ignored?

Yes, I understand the postfix restriction.  In fact, since this happens so often, we have a stock e-mail that we send to admins of misconfigured servers, with instructions as to how they can fix their DNS/rDNS issues.  Unfortunately, it seems that few mail servers implement reject_unknown_helo_hostname, and so very commonly I get back the response, "I can send mail to everyone but you, so it's your problem, not mine."  It is at this point that we will generally whitelist the offending server.

However, my problem, as stated in the subject, is that the whitelist seems to be being ignored.  We have whitelisted the domains in question (@dorriseaton.com, as well as other offending domains), but the mails are still failing.  It's as though postfix is not handling the whitelist.

Prior to the upgrade, when we were on cluebringer, the whitelist / blacklist system was working just fine.

I did confirm that my whitelist entries are appearing in the amavisd database, in the mailaddr table.

Along the same lines, my blacklist entries are also being ignored.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Whitelist being ignored?

iRedAdmin-Pro doesn't manage white/blacklists for HELO restriction, so it's expected that it doesn't work.

To fix this case, please open file /etc/postfix/main.cf, find parameter 'smtpd_helo_restrictions' like this:

smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_access.pcre

Add one more 'check_helo_access' right after 'permit_sasl_authenticated' like this:

smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_wblist.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_access.pcre

Create file /etc/postfix/helo_wblist.pcre, add line below to bypass 'DESHUBCAS.dorriseaton.com':

/^DESHUBCAS\.dorriseaton\.com$/ DUNNO

Reloading or restarting postfix is required.

Note: the purpose of using 2 'check_helo_access' is leaving the one shipped by iRedMail as it, and you can simply download new version (if any) of this file from iRedMail repository and replace the one on your server.

5 Reply by mac

  • mac
  • Member
  • Offline
  • Registered: 2014-10-28
  • Posts: 15

Re: Whitelist being ignored?

I did implement the above fix, and it addressed this issue.  However, I do have to note...

ZhangHuangbin wrote:

iRedAdmin-Pro doesn't manage white/blacklists for HELO restriction, so it's expected that it doesn't work.

Perhaps I'm naive, but it seems like "Whitelist" should, well, whitelist... that an entry in the whitelist (or blacklist) should override and cease any further checking.  Is this a feature that can be implemented?

Is it possible to add  

check_policy_service inet:127.0.0.1:7777

to smtpd_helo_restrictions?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Whitelist being ignored?

mac wrote:

Perhaps I'm naive, but it seems like "Whitelist" should, well, whitelist... that an entry in the whitelist (or blacklist) should override and cease any further checking.  Is this a feature that can be implemented?

Postfix supports whitelisting in multiple restrictions (smtpd_*_restrictions smile, but they use different format/syntax for whitelisted senders.

mac wrote:

Is it possible to add  

check_policy_service inet:127.0.0.1:7777

to smtpd_helo_restrictions?

iRedAPD doesn't support HELO white/blacklisting yet.