Discussion:
access file : DISCARD vs REJECT
(too old to reply)
Pascal Maes
2006-04-07 08:42:25 UTC
Permalink
hello,

In main.cf, I have a rule for smtpd_recipient_restrictions which says :

check_sender_access hash:/etc/postfix/access

In the file access, I have the following line :

***@domain.be REJECT

and it works !

mail from: ***@domain.be
250 2.1.0 Ok
rcpt to: ***@elec.ucl.ac.be
554 5.7.1 <***@domain.be>: Sender address rejected: Access denied


If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)

mail from: ***@domain.be
250 2.1.0 Ok
rcpt to: ***@elec.ucl.ac.be
250 2.1.5 Ok


What's wrong ?

Thanks
--
Pascal
Gábor Lénárt
2006-04-07 08:50:27 UTC
Permalink
Post by Pascal Maes
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)
250 2.1.0 Ok
250 2.1.5 Ok
What's wrong ?
Everyhing is OK! from the man page:

DISCARD optional text...
Claim successful delivery and silently discard the
message. Log the optional text if specified, oth-
erwise log a generic message.
--
- Gábor
Magnus Bäck
2006-04-07 08:57:00 UTC
Permalink
Post by Pascal Maes
check_sender_access hash:/etc/postfix/access
and it works !
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)
250 2.1.0 Ok
250 2.1.5 Ok
This doesn't prove that you receive the mail, it only proves that Postfix
doesn't reject the MAIL FROM and RCPT TO commands. Show logs instead.
--
Magnus Bäck
***@dsek.lth.se
Pascal Maes
2006-04-07 09:51:43 UTC
Permalink
Post by Magnus Bäck
Post by Pascal Maes
check_sender_access hash:/etc/postfix/access
and it works !
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)
250 2.1.0 Ok
250 2.1.5 Ok
This doesn't prove that you receive the mail, it only proves that Postfix
doesn't reject the MAIL FROM and RCPT TO commands. Show logs instead.
--
Magnus Bäck
log of the reject :

Apr 7 10:26:32 smtp-1 postfix/smtpd[19379]: connect from
gaia.elec.ucl.ac.be[130.104.236.1]
Apr 7 10:26:44 smtp-1 postfix/smtpd[19379]: NOQUEUE: reject: RCPT
from gaia.elec.ucl.ac.be[130.104.236.1]: 554 5.7.1 <***@domain.be>:
Sender address rejected: Access denied; from=<***@domain.be>
to=<***@elec.ucl.ac.be> proto=SMTP helo=<gaia.elec.ucl.ac.be>

log of the discard (complete sequence with clamsmtp and mailscanner) :

Apr 7 10:27:54 smtp-1 postfix/smtpd[19463]: 300D75F4:
client=gaia.elec.ucl.ac.be[130.104.236.1]
Apr 7 10:28:00 smtp-1 postfix/cleanup[19468]: 300D75F4: hold: header
Received: from smtp-1.dynsipr.ucl.ac.be (localhost.localdomain
[127.0.0.1])??by smtp-1.dynsipr.ucl.ac.be (Postfix) with ESMTP id
300D75F4??for <***@elec.ucl.ac.be>; Fri, 7 Apr 2006 10:27:54
+ from gaia.elec.ucl.ac.be[130.104.236.1]; from=<***@domain.be>
to=<***@elec.ucl.ac.be> proto=SMTP helo=<gaia.elec.ucl.ac.be>
Apr 7 10:28:00 smtp-1 postfix/cleanup[19468]: 300D75F4: message-
id=<***@smtp-1.dynsipr.ucl.ac.be>
Apr 7 10:28:00 smtp-1 clamsmtpd: 10FD84: from=***@domain.be,
to=***@elec.ucl.ac.be, status=CLEAN
Apr 7 10:28:03 smtp-1 MailScanner[12001]: Message 300D75F4.504A6
from 127.0.0.1 (***@domain.be) to elec.ucl.ac.be is n'est pas u
n polluriel, SpamAssassin (score=2.928, requis 5, MISSING_SUBJECT
0.57, MSGID_FROM_MTA_ID 0.93, NO_REAL_NAME 0.55, SPF_HELO_PASS -0.
00, SPF_PASS -0.00, UNDISC_RECIPS 0.88)
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Requeue: 300D75F4.504A6 to
BBA3A5B4
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Uninfected: Delivered 1
messages
Apr 7 10:28:04 smtp-1 postfix/qmgr[19348]: BBA3A5B4:
from=<***@domain.be>, size=697, nrcpt=1 (queue active)
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Batch processed in 3.47
seconds
Apr 7 10:28:04 smtp-1 postfix/smtp[19475]: BBA3A5B4:
to=<***@elec.ucl.ac.be>, relay=gaia.elec.ucl.ac.be
[130.104.236.1]:25,
delay=10, delays=9.9/0/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0
k378S3AU007329 Message accepted for delivery)
Apr 7 10:28:04 smtp-1 postfix/qmgr[19348]: BBA3A5B4: removed

--
Pascal
Wietse Venema
2006-04-08 13:01:17 UTC
Permalink
There is no DISCARD action in this logging.

Postfix logs DISCARD actions as "discard:".

What you have is a "HOLD" action, follows by unsupported queue file
manipulations by mailscanner.

Wietse
Post by Pascal Maes
client=gaia.elec.ucl.ac.be[130.104.236.1]
Apr 7 10:28:00 smtp-1 postfix/cleanup[19468]: 300D75F4: hold: header
Received: from smtp-1.dynsipr.ucl.ac.be (localhost.localdomain
[127.0.0.1])??by smtp-1.dynsipr.ucl.ac.be (Postfix) with ESMTP id
Apr 7 10:28:00 smtp-1 postfix/cleanup[19468]: 300D75F4: message-
Apr 7 10:28:03 smtp-1 MailScanner[12001]: Message 300D75F4.504A6
n polluriel, SpamAssassin (score=2.928, requis 5, MISSING_SUBJECT
0.57, MSGID_FROM_MTA_ID 0.93, NO_REAL_NAME 0.55, SPF_HELO_PASS -0.
00, SPF_PASS -0.00, UNDISC_RECIPS 0.88)
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Requeue: 300D75F4.504A6 to
BBA3A5B4
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Uninfected: Delivered 1
messages
Apr 7 10:28:04 smtp-1 MailScanner[12001]: Batch processed in 3.47
seconds
[130.104.236.1]:25,
delay=10, delays=9.9/0/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0
k378S3AU007329 Message accepted for delivery)
Apr 7 10:28:04 smtp-1 postfix/qmgr[19348]: BBA3A5B4: removed
--
Pascal
Pascal Maes
2006-04-08 16:45:47 UTC
Permalink
Post by Wietse Venema
Post by Pascal Maes
log of the discard (complete sequence with clamsmtp and
There is no DISCARD action in this logging.
Postfix logs DISCARD actions as "discard:".
What you have is a "HOLD" action, follows by unsupported queue file
manipulations by mailscanner.
Wietse
You're right but my question was why there is no DISCARD ?
What's wrong in my configuration ?

I have posted extracts of the main.cf and the master.cf this morning

--
Pascal
Jonathan Dill
2006-04-08 17:50:16 UTC
Permalink
Post by Pascal Maes
You're right but my question was why there is no DISCARD ?
What's wrong in my configuration ?
Did you try looking for "discard:" in the log files instead of "DISCARD"?

Jonathan
mouss
2006-04-07 14:46:13 UTC
Permalink
Post by Pascal Maes
hello,
check_sender_access hash:/etc/postfix/access
and it works !
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive the
mail)
250 2.1.0 Ok
250 2.1.5 Ok
What's wrong ?
do not discard unless you know why.
Pascal Maes
2006-04-07 15:52:42 UTC
Permalink
Post by mouss
Post by Pascal Maes
hello,
check_sender_access hash:/etc/postfix/access
and it works !
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)
250 2.1.0 Ok
250 2.1.5 Ok
What's wrong ?
do not discard unless you know why.
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.

If you have an idea (I have also posted an extract of the logfiles).

--
Pascal
Jonathan Dill
2006-04-07 16:31:52 UTC
Permalink
After dusting out the cobwebs from my brain :) I think I recall that
with some versions of postfix, DISCARD is ignored if in main.cf:

smtpd_delay_reject = no

There should be error messages about DISCARD being ignored if that is
the case. However, changing that to "yes" has negative performance
implications, although I do not recall the specifics.

If you know some address is sending you mainly spam with forged From and
no useful mail, isn't it better to DISCARD to avoid creating backscatter
to a third party?
Post by Pascal Maes
Post by mouss
Post by Pascal Maes
hello,
check_sender_access hash:/etc/postfix/access
and it works !
250 2.1.0 Ok
If I replace REJECT by DISCARD, it doesn't work anymore (I receive
the mail)
250 2.1.0 Ok
250 2.1.5 Ok
What's wrong ?
do not discard unless you know why.
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the logfiles).
--
Pascal
mouss
2006-04-07 20:49:41 UTC
Permalink
Post by Jonathan Dill
After dusting out the cobwebs from my brain :) I think I recall that
If that is true, then it would be a bug.
Post by Jonathan Dill
smtpd_delay_reject = no
There should be error messages about DISCARD being ignored if that is
the case. However, changing that to "yes" has negative performance
implications, although I do not recall the specifics.
there are no perf implications, unless you repeat checks, such as in:

smtpd_client_restrictions =
do_foo

smtpd_helo_restrictions =
do _foo
...

but even then, this is unnoticeable except if you're calling a heavy
weight policy service that recompiles itself at each invocation:)
Post by Jonathan Dill
If you know some address is sending you mainly spam with forged From and
no useful mail, isn't it better to DISCARD to avoid creating backscatter
to a third party?
- when you reject, you don't backscatter. if backscatter is, then it is
generated by the client mta, which should not be your problem.

- discard is irresponsible, unless you are 200% certain to only discard
a bad mail. and in general, you can't. Quarantine if you want, but no
discard and no bounce. of course, recipients may do whatever they want
with mail they receive.
mouss
2006-04-07 20:43:40 UTC
Permalink
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the logfiles).
just speculating: mailscanner interaction?
Pascal Maes
2006-04-08 07:14:29 UTC
Permalink
Post by mouss
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the logfiles).
just speculating: mailscanner interaction?
No.
The access file is used at the first instance of Postfix,
before the use of greylisting and mailscanner.
The DISCARD should happen at the same time as the REJECT

--
Pascal
Andreas Winkelmann
2006-04-08 08:25:50 UTC
Permalink
Post by Pascal Maes
Post by mouss
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the logfiles).
just speculating: mailscanner interaction?
No.
The access file is used at the first instance of Postfix,
before the use of greylisting and mailscanner.
How did you include your content-filter? Pre- or Post-Queue? Please show your
Configuration. "postconf -n" and master.cf.
Post by Pascal Maes
The DISCARD should happen at the same time as the REJECT
The DISCARD cannot happen at the same time. How should this work? The first
time when Postfix can Discard a Mail is, when Postfix has taken it complete
from the Client, not before. If Postfix aborts the Connection before, the
Client will try to send the Mail again and again...

<Connect>
HELO xxx
MAIL FROM: yyy
RCP TO: zzz
DATA
<DATA>
.
<OK from Postfix>
<Here is the first moment where Postfix can Discard a Mail>

The REJECT can happen somewhere between <Connect> and OK.
--
Andreas
Pascal Maes
2006-04-08 09:12:12 UTC
Permalink
Post by Andreas Winkelmann
Post by Pascal Maes
Post by mouss
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the
logfiles).
just speculating: mailscanner interaction?
No.
The access file is used at the first instance of Postfix,
before the use of greylisting and mailscanner.
How did you include your content-filter? Pre- or Post-Queue? Please show your
Configuration. "postconf -n" and master.cf.
main.cf (extract)

hash_queue_depth = 1
hash_queue_names = deferred defer incoming hold

header_checks = regexp:/etc/postfix/header_checks

smtpd_restriction_classes =
greylist_policy

# Greylisting
greylist_policy = check_policy_service inet:127.0.0.1:2525

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
warn_if_reject reject_unknown_recipient_domain
check_recipient_access hash:/etc/postfix/protected_destinations
check_recipient_access hash:/etc/postfix/rules/ucllouvain
check_sender_access hash:/etc/postfix/access
permit_mynetworks
permit_sasl_authenticated
reject_unlisted_recipient
reject_unauth_destination
reject_unknown_recipient_domain
check_recipient_access hash:/etc/postfix/greylisting
permit_auth_destination
reject_multi_recipient_bounce
reject

unknown_local_recipient_reject_code = 550

-----------

/etc/postfix/header_checks


/^Received:/ HOLD
/^From: (.*)/ WARN "Mail From: $1"
/^To: (.*)/ WARN "Mail To: $1"
/^Cc: (.*)/ WARN "Mail Cc: $1"
/^Bcc: (.*)/ WARN "Mail Cc: $1

-----------

master.cf (extract)

smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=100

127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

--
Pascal
mouss
2006-04-08 19:53:06 UTC
Permalink
Post by Pascal Maes
Post by Andreas Winkelmann
Post by Pascal Maes
Post by mouss
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the logfiles).
just speculating: mailscanner interaction?
No.
The access file is used at the first instance of Postfix,
before the use of greylisting and mailscanner.
How did you include your content-filter? Pre- or Post-Queue? Please show your
Configuration. "postconf -n" and master.cf.
main.cf (extract)
- configure your DISCARD rule.
- use postconf -n to get the config used by postfix (main.cf may be
different). => post the results
- test with postmap -q => post the results
- send a message that should trigger the discard
- post the corresponding logs => post these
Pascal Maes
2006-04-09 06:25:02 UTC
Permalink
Post by mouss
Post by Pascal Maes
Post by Andreas Winkelmann
Post by Pascal Maes
Post by mouss
Post by Pascal Maes
You're right and REJECT will do the job,
but I wonder why DISCARD is not working.
If you have an idea (I have also posted an extract of the
logfiles).
just speculating: mailscanner interaction?
No.
The access file is used at the first instance of Postfix,
before the use of greylisting and mailscanner.
How did you include your content-filter? Pre- or Post-Queue?
Please show your
Configuration. "postconf -n" and master.cf.
main.cf (extract)
- configure your DISCARD rule.
- use postconf -n to get the config used by postfix (main.cf may be
different). => post the results
- test with postmap -q => post the results
- send a message that should trigger the discard
- post the corresponding logs => post these
Well not necessary, found this in the logfile :

Apr 9 08:23:37 smtp-3 postfix/smtpd[20408]: warning: access table
hash:/etc/postfix/access: with smtpd_proxy_filter specified, action
DISCARD is unavailable


--
Pascal

Continue reading on narkive:
Loading...