RE: Looking to bypass blackhole lists for certain users

• Previous message: Victor Duchovni: "Re: feature request: timeouts in smtpd"
• Maybe in reply to: Curt LeCaptain: "Looking to bypass blackhole lists for certain users"
• Next in thread: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Saith Curt LeCaptain ...

> Alright, here's my next question, then.
>
> Here's my fixed edition:
>
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/spamfriends
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
> When I test from an IP address I know gets blocked by
> combined.njabl.org
> to the rcpt to:<>, I'm still being rejected by the
> blackhole list, as if it's ignoring the OK. Am I missing something
> more?

I thought you wanted to whitelist _senders_ ... if that's the case, a reject
from "an IP address I know gets blocked by
combined.njabl.org to the rcpt to:<>" doesn't specify the
right test criteria. You haven't tested the whitelisted _sender_, or at
least haven't indicated that you have in that statement.

FWIW, I do the same thing:

smtpd_recipient_restrictions = permit_mynetworks
        reject_unlisted_recipient
        reject_unauth_destination
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_unknown_sender_domain
        check_sender_access dbm:/etc/postfix/tables/whitelist
        check_sender_access dbm:/etc/postfix/tables/blacklist
        ...
        check_client_access dbm:/etc/postfix/tables/client_whitelist
        check_client_access cidr:/etc/postfix/tables/private_RBL
        check_client_access regexp:/etc/postfix/tables/client_checks
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
         reject_rbl_client combined.njabl.org
        reject_rbl_client dnsbl.ahbl.org
        permit

... where whitelist and blacklist are hash tables of sender addresses,
client_whitelist is a table of client domains by name, private_RBL is a CIDR
list of networks that have allowed their users to spam us but aren't on a
blacklist we use, and client_checks has regexes that spot dial-up/dsl/cable
clients who shouldn't be mailing us directly.

So, I know it can work.

Did you forget to postmap your spamfriends file?

-Shel

• Previous message: Victor Duchovni: "Re: feature request: timeouts in smtpd"
• Maybe in reply to: Curt LeCaptain: "Looking to bypass blackhole lists for certain users"
• Next in thread: Sheldon T. Hall: "RE: Looking to bypass blackhole lists for certain users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]