RE: Looking to bypass blackhole lists for certain users

• Previous message: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Maybe in reply to: Curt LeCaptain: "Looking to bypass blackhole lists for certain users"
• Next in thread: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----Original Message-----
From:
[mailto:] On Behalf Of Sheldon T. Hall
Sent: Thursday, February 01, 2007 11:17 AM
To:
Subject: RE: Looking to bypass blackhole lists for certain users

 Quoth Curt LeCaptain ...

> Here's what I'm looking at doing:
>
> For specific addresses on the server, I'd like to have anyone be able
> to send mail to them and bypass blackhole list checks. My assumption
> (it may be wrong, is the following config for
> smtpd_recipient_restrictions
>
> smtpd_recipient_restrictions = permit_mynetworks
> check_sender_access = hash:/etc/postfix/spamfriends <-----Line

> in question
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
> My spamfriends hash table is the following:
>
> OK
> OK

That makes you an open relay for anyone _claiming_ to be one of the
senders in your spamfriends whitelist.

It would be better to minimize the potential damage by putting
"check_sender_access = hash:/etc/postfix/spamfriends" immediately before
your first blacklist, after all the other checks. In any case, be sure
to have "reject_unauth_destination" before your whitelist.

-Shel

Alright, here's my next question, then.

Here's my fixed edition:

smtpd_recipient_restrictions = permit_mynetworks
      permit_sasl_authenticated
      check_client_access hash:/etc/postfix/pop-before-smtp
      reject_unauth_pipelining
      reject_non_fqdn_hostname
      reject_non_fqdn_sender
      reject_non_fqdn_recipient
      reject_unknown_sender_domain
      reject_unknown_recipient_domain
      reject_unauth_destination
        check_sender_access hash:/etc/postfix/spamfriends
      reject_rbl_client combined.njabl.org
      reject_rbl_client bl.spamcop.net
      reject_rbl_client list.dsbl.org
      reject_rbl_client zen.spamhaus.org
      permit

When I test from an IP address I know gets blocked by combined.njabl.org
to the rcpt to:<>, I'm still being rejected by the
blackhole list, as if it's ignoring the OK. Am I missing something
more?

• Previous message: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Maybe in reply to: Curt LeCaptain: "Looking to bypass blackhole lists for certain users"
• Next in thread: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]