whitelist

cyberpaul · 03-30-2011, 12:57 PM

Hi,

one of our customers pointed out a strange behaviour of whitelisting feature.

Environment:
ISP Manager Pro 4.3.53.1
CentOS 5.5
Postfix 2.3.3

When you put a domain on the whitelist, one would suppose you will receive email from this domain even when it's on a DNSbl. But it's not how it works. It works like this:

[ /etc/postfix/main.cf ]:
smtpd_sender_restrictions =
permit_sasl_authenticated,
check_sender_access hash:/etc/mail/access
smtpd_recipient_restrictions =
permit_sasl_authenticated,
check_recipient_access hash:/etc/mail/access,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
reject_rbl_client truncate.gbudb.net

[ /etc/mail/access ]:
whitelisted-domain.net OK

This means that when postfix receives MAIL FROM command and the sender is whitelisted, he gets OK. That's nice.

But when postfix receives RCPT command, recipient is checked against the whitelist. But the recipient is not the whitelisted domain, recipient is local. What this means is, that when I whitelist a domain, anybody can use my server as a relay for this domain (recipient is whitelisted).

Is this a bug or a feature?

sad · 04-04-2011, 02:53 AM

Access map in postfix works almost like in sendmail. You can change postfix configuration for your needs, ispmanager will not touch it after initial setup. Removing access list checking from smtpd_recipient_restrictions may solve this "bug or feature".

cyberpaul · 04-04-2011, 12:41 PM

Thanks for your reply. Can do that. But is that a desired beahviour? It's confusing.

Anyway I have one more problem - mail filters. It seems that from certain size of mail directory it's impossible to set email filters via ISP manager (cca thousand mails and more). Environment is the same as before (CentOS 5.5, ISP manager 4.3.53.1, but it is the same with 4.3.52 and 4.3.51.3 on different servers).

How to reproduce:
- in 'mailboxes' select a big mailbox
- click 'change the mail filter settings...' icon
- either click 'add mail filter' icon or double click any of existing filters

The working icon then appears and never really goes away. The 'ispmgr' process starts consuming more and more memory until the server crashes.

Log reports this:
Apr 4 11:37:13 [27440] INFO Request [81.31.34.226][root] 'func=email'
Apr 4 11:37:16 [27440] INFO Request [81.31.34.226][root] 'func=email.filter&elid=info%40domain.cz'
Apr 4 11:37:16 [27440] EXTINFO Load config '/var/www/glabasnat/data/email/domain.cz/info/.procmailrc'

It is crucial to fix this issue, thanks in advance for your reply.

03-30-2011, 12:57 PM	#1
cyberpaul Junior Member Join Date: Aug 2010 Location: Czech Republic Posts: 23	whitelist Hi, one of our customers pointed out a strange behaviour of whitelisting feature. Environment: ISP Manager Pro 4.3.53.1 CentOS 5.5 Postfix 2.3.3 When you put a domain on the whitelist, one would suppose you will receive email from this domain even when it's on a DNSbl. But it's not how it works. It works like this: [ /etc/postfix/main.cf ]: smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/mail/access smtpd_recipient_restrictions = permit_sasl_authenticated, check_recipient_access hash:/etc/mail/access, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_rbl_client truncate.gbudb.net [ /etc/mail/access ]: whitelisted-domain.net OK This means that when postfix receives MAIL FROM command and the sender is whitelisted, he gets OK. That's nice. But when postfix receives RCPT command, recipient is checked against the whitelist. But the recipient is not the whitelisted domain, recipient is local. What this means is, that when I whitelist a domain, anybody can use my server as a relay for this domain (recipient is whitelisted). Is this a bug or a feature?