Testing the access tables (check_*_access)

(Postfix 2.3.3 on FreeBSD 6.1-RELEASE-p6, installed from ports with
'POSTFIX_OPTIONS="SASL2 SASLKRB5 SPF TLS BDB MySQL OpenLDAP CDB VDA"'
and 'WITH_BDB_VER=43' set.)

I use a check_sender_access directive in $smtpd_recipient_restrictions
to allow or block mail from particular individuals as identified by
their message envelopes. If I read access(5) correctly, I should be
able to match on the domain part of a particular email address using
the hashed version (db or dbm) of the access table. In practice,
entries listing only the domain part do not match full email
addresses. For example, I have the following line in my sender access
list:

.intruguarddevices.com REJECT

(The file is in the "hash:" format, if that makes a difference.)
According to the mail logs and the Return-Path headers, sender
envelope addresses that should match this rule look like this:

webinar@intruguarddevices.com

Yet, Postfix does not block these addresses, even using the following
simplified configuration:

smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/maps/access_sender
permit

When I query the access list using the postmap command, I get no
result:

postmap -q webinar@intruguarddevices.com access_sender || echo not found
not found

postmap -q .intruguarddevices.com access_sender || echo not found
REJECT

Now, it's possible that postmap's -q flag does not follow the same
semantics as Postfix itself in terms of selecting a match, but I don't
know how else to test or to reproduce my problem.

What am I doing wrong? Am I using this facility correctly? Should I
switch to some other lookup method (e.g., PCRE)?

Best wishes,
Matthew

--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
(http://geekz.co.uk/schneierfacts/fact/55)

Matthew X. Economou wrote:
> I should be able to match on the domain part of a
> particular email address using
> .intruguarddevices.com REJECT
> should match this rule look like this:
> webinar@intruguarddevices.com
> Yet, Postfix does not block these addresses


..domain.com
matches on anything.domain.com, but not domain.com

If parent_domain_matches_subdomains has smtpd_access_maps in it
(run this to see: postconf parent_domain_matches_subdomain)

then
domain.com
matches both anything.domain.com and domain.com

if smtpd_access_maps is not in it, then these 2
will match everything:
..domain.com
domain.com

--
Greg

>>>>> "Greg" == Greg Hackney <hackney@swbell.net> writes:

Greg> If parent_domain_matches_subdomains has smtpd_access_maps in
Greg> it (run this to see: postconf parent_domain_matches_subdomain)

This is already the case on my system.

$ postconf parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,perm it_mx_backup_networks,qmqpd_authorized_clients,rel ay_domains,smtpd_access_maps

Greg> if smtpd_access_maps is not in it, then these 2 will match
Greg> everything: .domain.com domain.com

Are you certain this is correct? The manual page for access(5) (see
also http://www.postfix.org/access.5.html) implies that the entry with
the initial dot is all that you need.

I performed further testing, and I found a problem with my
configuration. I made a mistake with one of my entries in
$mynetworks, and it turns out that this was allowing the message
through (the permit_mynetworks rule comes before the
check_sender_access rule in my configuration).

Thanks for your help, Greg!

Best wishes,
Matthew

--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
(http://geekz.co.uk/schneierfacts/fact/55)

Matthew X. Economou wrote:

> Are you certain this is correct? The manual page for access(5) (see
> also http://www.postfix.org/access.5.html) implies that the entry with
> the initial dot is all that you need.


"man 5 postconf" says:

parent_domain_matches_subdomains (default: see postconf -d output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern. This is
planned backwards compatibility: eventually, all Postfix features are
expected to require explicit ".domain.tld" style patterns when you
really want to match subdomains.

--
Greg

>>>>> "Greg" == Greg Hackney <hackney@swbell.net> writes:

Greg> parent_domain_matches_subdomains (default: see postconf -d
Greg> output) What Postfix features match subdomains of
Greg> "domain.tld" automatically, instead of requiring an explicit
Greg> ".domain.tld" pattern. This is planned backwards
Greg> compatibility: eventually, all Postfix features are expected
Greg> to require explicit ".domain.tld" style patterns when you
Greg> really want to match subdomains.

Ah, I follow you now. Thanks!

--
Every time Bruce Schneier smiles, an amateur cryptographer dies.
(http://geekz.co.uk/schneierfacts/fact/55)