postfwd not rate limiting sasl users

Question

I would like to use postfwd version 2 to limit the amount of daily mail sent by my sasl authenticated users.

I installed latest tarball: postfwd-1.35 with latest postfix from Centos 6.4

In my I have only this rule

id=RULEZEROSASL
  sasl_username=~/^(\S+)$/
  action=rcpt(sasl_username/500/86400/REJECT only 500 recipients per day for $$sasl_username)

which should reject only mail with authenticated users (not mail from trusted mailservers).

My postfwd2 listens on tcp 10045 and in my postfix main.cf I have

# Restriction Classes
smtpd_restriction_classes       = postfwdcheck
postfwdcheck                    = check_policy_service inet:127.0.0.1:10045
127.0.0.1:10045_time_limit      = 3600

...

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        permit_tls_clientcerts
        reject_unauth_destination
        check_recipient_access  hash:/etc/postfix/access
        reject_invalid_helo_hostname
# postfwd con rate limiting
        check_policy_service inet:127.0.0.1:10045
        warn_if_reject reject_non_fqdn_helo_hostname
        warn_if_reject reject_unknown_helo_hostname
        warn_if_reject reject_unknown_client
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        warn_if_reject reject_unverified_sender
        reject_unverified_recipient
        reject_rbl_client zen.spamhaus.org
        permit

in /etc/postfix/policy

.   postfwdcheck

I see no rule matching entries in log and the command

postfwd2 -vv --dumpcache -f /etc/postfwd.cf

shows the request number

[STATS] postfwd2::policy 1.35: **5** requests since 0 days, 01:05:31 hours

increasing only for manual tests done with:

 nc 127.0.0.1 10045 <request.sample

Any idea why postfwd is not engaged by postfix?

If a restriction class returns an OK, it terminates there. So it's probably stopping on `permit_mynetworks`, or `permit_sasl_authenticated`. — NickW, Apr 26 '13 at 14:22
I think you might have more luck putting it in `smtpd_relay_restrictions` as the first entry. — NickW, Apr 26 '13 at 14:32
ehm my actual conf is: smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination shall I add an check_policy_service inet:127.0.0.1:10045 on top? — golemwashere, Apr 26 '13 at 14:47
I don't know, if it's not a production system, I'd say yes :) but put it after `permit_mynetworks`. — NickW, Apr 26 '13 at 14:56

score 4 · Accepted Answer · answered Apr 26 '13 at 14:55

4

Postfix restriction classes can return three answers, OK, REJECT or DUNNO, usually they have (OK, DUNNO) or (REJECT, DUNNO), because of the way that postfix functions. DENY and OK mean the rest of the checks are ignored, DUNNO means go on to the next check.

So, in your case, permit_mynetworks or permit_sasl_authenticated are returning OK, so it does not check further under smtpd_recipient_restrictions, though you could place it in another restriction class which will then first have to return OK, for the mail to be forwarded.

answered Apr 26 '13 at 14:55

NickW

10,183
1
18
26

I had good luck just moving check_policy_service inet:127.0.0.1:10045 over permit_sasl_authenticated in smtpd_recipient_restriction .... Now I have this problem , I always get an empty counter: postfwd2/policy[6968]: [RULES] rule=0, id=RULEZEROSASL, client=unknown[x.y.z.w], user=myuser@mydomain.com, sender=, recipient=, helo=, proto=ESMTP, state=RCPT, ignoring empty counter – golemwashere Apr 26 '13 at 15:01
Here I'm a little less sure.. it seems like postfwd isn't catching anything with that regex. – NickW Apr 26 '13 at 15:10
Try using the `sasl_username=` field by itself? Comment out the regex. – NickW Apr 26 '13 at 15:15
do you have any example of a working regexp to match any non empty sasl user? – golemwashere Apr 26 '13 at 15:15
BTW empty regexp : no luck and lotsa ignoring empty counter – golemwashere Apr 26 '13 at 15:17
What does the field look like exactly? From the headers... – NickW Apr 26 '13 at 15:19
I'm guessing you should only try and match the username itself, maybe [a-z]{3,40}. It's been too long since I've written PCRE with any frequency. – NickW Apr 26 '13 at 15:25
mmm looks like sasl user gets not into the outgoing emails headers but in my maillog, postfwd correctly logs the sasl user into the user=field if I use the sasl_username=~/^(\S+)$/ regexp -------------------------------- Apr 26 16:57:34 mailout04 postfwd2/policy[6970]: [RULES] rule=0, id=RULEZEROSASL, client=unknown[x.y.z.w], user=user@domain.com, sender=, reci pient=, helo=, proto=ESMTP, state=RCPT, ignoring empty counter ------------- – golemwashere Apr 26 '13 at 15:26
Add this to your main.cf `smtpd_sasl_authenticated_header = yes` – NickW Apr 26 '13 at 15:31
maybe counters are not really written into a temporary file or something.... the issue is I have not evident error in logs – golemwashere Apr 26 '13 at 15:33
Did you add the option to main.cf? – NickW Apr 26 '13 at 15:34
Ok now I have an Authenticated sender: name@domain.com in my outgoing headers... I have sasl senders logged as user=xxx in maillogs but always state=RCPT, ignoring empty counter – golemwashere Apr 26 '13 at 15:40
You may want to ask the guys on the postfwd list: http://listi.jpberlin.de/mailman/listinfo/postfwd-users they'll probably be able to get you a result quicker :) – NickW Apr 26 '13 at 15:42
No problems.. remember to do the same when you can :) – NickW Apr 26 '13 at 15:46
at the end it did work: I just used in main.cf -------------------------------------- smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_policy_service inet:127.0.0.1:10045, permit ----------------------- and the cache just took a while to populate counters... – golemwashere Apr 28 '13 at 09:18
Great! Glad you got it going! – NickW Apr 29 '13 at 08:08

score 1 · Answer 2 · answered Oct 28 '13 at 15:44

You should not use "smtpd_recipient_restrictions" for a "action=rcpt(...)" as it needs to know the recipient_count attribute. From the man page:

 rcpt (<item>/<max>/<time>/<action>) 
   this command works similar to the rate() command with the difference,
   that the rate counter is increased by the request's recipient_count
   attribute. to do this reliably you should call postfwd from 
   smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want
   to be sure, you could check it within the ruleset:
      # recipient count limit 3 per hour per client
      id=RCPT01 ;  protocol_state==END-OF-MESSAGE ;  client_address!=10.1.1.1
         action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)

So, if you use "check_policy_service inet:127.0.0.1:10045" in smtpd_data_restrictions instead, it will work. Hope so.

postfwd not rate limiting sasl users

2 Answers2

Linked