From 4a93bf47704604d6b96379e88395b3f50882fd26 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 25 Nov 2018 14:52:07 +0100 Subject: [PATCH] install_postfix_advanced.sh: Don't check greylist for connections from 127.0.0.25 (onion - tor hidden service). --- install_postfix_advanced.sh | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index 6c4154d..58cbfae 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -576,7 +576,17 @@ mydestination = ## - privileges than "strangers" ## - mynetworks = - 127.0.0.0/8 + # +++++++++++++++++++++++++++++++++++++ + # replace 127.0.0.1/8 with 127.0.0.1/32 + # +++++++++++++++++++++++++++++++++++++ + # So we can use i.e 127.0.0.25 (or any other 127.x.x.x address) + # to bind to hidden tor service on port 25 without having an + # open relay + # + # see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md + # + #127.0.0.0/8 + 127.0.0.1/32 [::ffff:127.0.0.0]/104 [::1]/128 ${IPV4}/32 @@ -1449,6 +1459,17 @@ if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then # - For clients matching the following rules greylisting check is applied. # --- +# Prevent connections at 127.0.0.25 (onion - tor hidden service) from greylisting +# +# Note: +# - DUNNO: Pretend, that the lookaup key (127.0.0.25) was not found. No further +# evaluation on this access table is done. +# +# - If 'tor hiddenservice' is supported, we bound it to 127.0.0.25 port 25. +# Since those connections are also marked as 'unknown', key below would match +# and greylisting would be triggered. +/127\\.0\\.0\\.25/ DUNNO + # unkown clients /^unknown$/ check_greylist