Is there a way to whitelist and address or domain in Postfix's helo_restrictions with ISPCONFIG3

Discussion in 'General' started by FFG28, Oct 25, 2018.

  1. FFG28

    FFG28 Member

    Good Day:

    We have a SENDER that is being rejected by our HELO CHECK (using dummy domains in example)
    -------------------------------------------------------------------------------------------
    Oct 25 11:04:23 mail postfix/smtpd[6396]: connect from host1.senderdomain1.com["sender IP"]

    Oct 25 11:04:23 mail postfix/smtpd[6396]: NOQUEUE: reject: RCPT from host1.senderdomain1.com["sender IP"]: 450 4.7.1 <host2.subdomain.senderdomain2>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<host2.subdomain.senderdomain2>

    Oct 25 11:04:23 mail postfix/smtpd[6396]: NOQUEUE: reject: RCPT from host1.senderdomain1.com["sender IP"]: 450 4.7.1 <host2.subdomain.senderdomain2>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<host2.subdomain.senderdomain2>

    Oct 25 11:04:23 mail postfix/smtpd[6396]: disconnect from host1.senderdomain1.com["sender IP"] ehlo=2 starttls=1 mail=2 rcpt=0/2 rset=1 quit=1 commands=7/9
    ---------------------------------------------------------------------------------------------------

    Is there a way of whitelisting the senderdomain1.com domain from the HELO check in ISPCONFIG 3. I should point out that the SENDER has more than one MX server (but all with the senderdomain1.com domain and *.subdomain.senderdomain2 banner). I would also need to make this rule SERVER WIDE (for all our domains).

    I have seen elsewhere the following procedure:

    https://serverfault.com/questions/6...dress-or-domain-in-postfixs-helo-restrictions

    Before making changes to postfix main.cf, I would like to know if
    1. this could be done from ISPCONFIG 3.
    2. if not, will it brake the ISP CONFIG 3 configuration.
    3. if no brake, what would be the proper way to configure it.

    Best Regards
     
    Link BP likes this.
  2. Jesse Norell

    Jesse Norell Well-Known Member

    There is no setting in the ISPConfig gui for this, but you can change any of the postfix config settings you need to; for ones which ISPConfig doesn't set there's no need to do anything more than set it; for config setting which ISPConfig does set you'll need to use a conf-custom file (ie. find the corresponding config file under "conf" and copy to "conf-custom" folder, then make your changes there). smtpd_helo_restrictions is one you'll need to make a conf-custom file for, but you certainly can change it as needed.

    As you work on that, you might consider using a dmarc check, and bypassing the "use a valid hostname" restriction only if dmarc passes. I guess that is assuming dmarc passes, which it may not if this sender doesn't even bother to use valid names. :) (I assume you do understand that it's the sender's misconfigured system(s) which is at fault, and you are trying to work around their brokenness - it would be better for them and you if they would fix it on their end, as they will be having the exact same problem delivering to other domains as well.)
     
    FFG28 likes this.
  3. FFG28

    FFG28 Member

    Good Day Jesse:

    Thank you for your reply :). Sorry I couldn't followup faster.

    And yes, I do agree with your comment that is the sender's misconfigured system at fault. But believe me when I say that this is way easier than making the sender fix its configuration. Im sure that Im not the only one in this Bus as well, when I say that there are way to many mail server admins who believe they have the last word in how to properly configure any mail system and that everybody else should do as they beleive.

    Some comments:
    First: I understand from your reply that I should create the conf-custom folder inside /etc/postfix/ ( as I don't see it created in my postfix folder library).

    Second: I should create as well an identical copy of the main.cf file and paste it inside the newly created conf-custom folder. File should have the same name (main.cf) and same contents with parts edited where needed, but not missing the rest of the contents of the original file. For example:

    One parameter that I would also like to edit is the SMTP Banner (to just show the servers FQDN), without changing the actual FQDN. So then: I would leave the SMTP Banner unedited in the first file (/etc/postfix/main.cf), but edited in second file (/etc/postfix/conf-custom/main.cf) ?

    First file shows (/etc/postfix/main.cf):
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    Second file shows (/etc/postfix/conf-custom/main.cf):
    smtpd_banner = $myhostname

    But also: I would leave MY HOSTNAME unedited in the first file (/etc/postfix/main.cf), and equally unedited in the second file (/etc/postfix/conf-custom/main.cf). Meaning:

    First file shows (/etc/postfix/main.cf):
    myhostname = server.mydomain.com
    Second file shows (/etc/postfix/conf-custom/main.cf):
    myhostname = server.mydomain.com

    So, in the case in question (HELO ACCESS), it would be something like this:
    First file should show:
    1 /etc/postfix/main.cf:
    2 smtpd_helo_restrictions =
    3 permit_sasl_authenticated,
    4 permit_mynetworks,
    5 check_helo_access regexp:/etc/postfix/helo_access,
    6 reject_invalid_hostname,
    7 reject_non_fqdn_hostname,
    8 reject_invalid_helo_hostname,
    9 reject_unknown_helo_hostname,
    10 check_helo_access regexp:/etc/postfix/blacklist_helo
    11
    12 /etc/postfix/helo_access:
    13 #ALL COMMENTED

    Second file shuld show:
    1 /etc/postfix/conf-custom/main.cf:
    2 smtpd_helo_restrictions =
    3 permit_sasl_authenticated,
    4 permit_mynetworks,
    5 check_helo_access regexp:/etc/postfix/helo_access,
    6 reject_invalid_hostname,
    7 reject_non_fqdn_hostname,
    8 reject_invalid_helo_hostname,
    9 reject_unknown_helo_hostname,
    10 check_helo_access regexp:/etc/postfix/blacklist_helo
    11
    12 /etc/postfix/conf-custom/helo_access:
    13 senderdomain1.com PERMIT

    Note: Im following instructions from this URL
    http://www.postfix.org/SMTPD_ACCESS_README.html
    with configuration of our servers postfix file, to not make the server an open relay.

    Is the above correct?
    Please advise.

    Best Regards,
     
    Last edited: Nov 2, 2018
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Well, to answer your question of "how to use conf-custom," the conf-custom folder to create is /usr/local/ispconfig/server/conf-custom/, and you copy the original master files from /usr/local/ispconfig/server/conf/ to the same path (same subdirectory names, etc.) under conf-custom/. Some conf files aren't normally on the server, but are found in the ispconfig installation tarball (or git repository), and in a quick check it looks like the postfix main.cf master file is one of those, so run over to https://git.ispconfig.org/ispconfig/ispconfig3/tree/stable-3.1/install/tpl and grab debian_postfix.conf.master (I believe that's the correct one for ubuntu):
    Code:
    wget -O /usr/local/ispconfig/server/conf-custom/debian_postfix.conf.master https://git.ispconfig.org/ispconfig/ispconfig3/raw/stable-3.1/install/tpl/debian_postfix.conf.master
    You'n need to make your changes to both the current /etc/postfix/main.cf, as well as change any settings found in the debian_postfix.conf.master template. There will be settings in main.cf which are not in the template, and you can just make changes to the live main.cf for those, they will not be overwritten.

    However, for your specific changes, you don't need to bother with a conf-custom file at all. The existing smtpd_helo_restrictions already point to the helo_access file, so you can simply add your entries to it. The other settings you mention aren't set by IPSConfig, so any changes you make to them in main.cf will be kept.
     
    FFG28 likes this.
  5. FFG28

    FFG28 Member

    Good Day Jesse:

    I do use SPF, DKIM and DMARC. DMARC is ass follows:

    "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=reject; fo=1; pct=100; adkim=s; aspf=s"

    DNS is provided by the ISP. Not us but TXT Records have been properly configured.

    Note: I have it in p=quarantine as I have been testing the configuration and planning to do a p=reject. Also it would be great if you could point out where are this e-mails supposed to be quarantined (I still don't understand this part from the DMARC statement). aggrep and authfail are both configured in the system.

    So Just checking if I understanding correctly:
    Upon changing the p=reject, just bypass the helo check on postfix?

    Could you recommend the postfix coding for this as well.

    Best Regards,
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    The DMARC record is to instruct other mail systems how to process mail claiming to be from your domain, so where = the receiving mail systems, and what happens is also up to the receiving mail systems. Eg.
    No, changing p=reject will tell all the message recipients to reject mail which does not pass your DMARC policy, rather than to quarantine it. It does not affect the helo checks performed by your server in any way.
     
    Last edited: Nov 7, 2018
  7. FFG28

    FFG28 Member

    Good day Jesse:

    I didn’t meant to say that one had to do with the other (I do undestabd the difference).

    What I meant to say was that I understood you asking me to check a good DMARK configuration that would let me bypass HELO checks on POSTFIX

    Any how thanks again for the help.

    Regards,
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

    DMARC doesn't come into play at all with postfix helo checks, so to address your original issue, simply add the sender's helo hostname to /etc/postfix/helo_access (close to what you have in #3 above, but the file location is /etc/postfix/helo_access).
     
    FFG28 likes this.
  9. FFG28

    FFG28 Member

    Perfect

    I will do changes and come back to feedback the post. Thank you very much for the help.
     
  10. FFG28

    FFG28 Member

    Thank you Jesse:

    This worked as you mentioned, although I had to figure out that the check is done against the banner and not the FQDN (at least this is how I got it working. Any comments are welcomed). Also had to use the example on the helo_acces file to properly code the PERMIT.

    Regards
     

Share This Page