From: Curt LeCaptain (no email)
Date: Thu Feb 01 2007 - 14:44:09 EST
-----Original Message-----
From:
[mailto:] On Behalf Of Noel Jones
Sent: Thursday, February 01, 2007 12:04 PM
To:
Subject: RE: Looking to bypass blackhole lists for certain users
At 11:24 AM 2/1/2007, Curt LeCaptain wrote:
>Alright, here's my next question, then.
>
>Here's my fixed edition:
>
>smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/spamfriends
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
>When I test from an IP address I know gets blocked by
>combined.njabl.org to the rcpt to:<>, I'm still being
>rejected by the blackhole list, as if it's ignoring the OK. Am I
>missing something more?
You need to do it like so:
smtpd_recipient_restrictions =
# first, permit authorized relaying
permit_mynetworks
permit_sasl_authenticated
check_client_access hash:/etc/postfix/pop-before-smtp # prevent
anyone else from relaying
reject_unauth_destination
# whitelist buddies. Note it's generally preferred to whitelist # by
client IP rather than sender mail address
check_sender_access hash:/etc/postfix/spamfriends
check_client_access hash:/etc/postfix/client_whitelist
# UCE controls applied to everyone else
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_rbl_client combined.njabl.org
reject_rbl_client bl.spamcop.net
reject_rbl_client list.dsbl.org
reject_rbl_client zen.spamhaus.org
permit
Note: it's generally unwise to use "reject_unknown_recipient_domain"
on a general purpose MTA - all it can possibly do here is reject your
own mail if your DNS has a hiccup. It's intended to be used on an MSA
*before* permit_mynetworks and friends to prevent local users from
sending to invalid domains - even then it might not work well as some
MUA's give rather cryptic error messages when a submission is rejected.
Note2: reject_unauth_pipelining is not effective in
smtpd_recipient_restrictions. Use it in smtpd_data_restrictions
instead.
If you still can't get this to work, show "postconf -n" output and the
log entry showing the rejection.
-- Noel Jones Postconf -n output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 disable_dns_lookups = no disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_mailbox_domains mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail -f- -a "$USER" mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/local/man message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = example.com myhostname = mail.example.com mynetworks = /etc/postfix/networks mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no relay_domains = $mydestination sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name smtpd_data_restrictions = reject_unauth_pipelining permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_unknown_hostname reject_invalid_hostname reject_non_fqdn_hostname smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/etc/postfix/pop-before-smtp reject_unauth_destination check_sender_access hash:/etc/postfix/spamfriends reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain check_sender_access hash:/etc/postfix/spamfriends reject_rbl_client combined.njabl.org reject_rbl_client bl.spamcop.net reject_rbl_client list.dsbl.org reject_rbl_client zen.spamhaus.org permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org check_sender_access hash:/etc/postfix/spammers reject_non_fqdn_sender smtpd_use_tls = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = /etc/postfix/domains virtual_alias_maps = hash:/etc/postfix/virtual Log Entry: Feb 1 13:37:36 admin postfix/smtpd[24392]: connect from CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss] Feb 1 13:37:48 admin postfix/smtpd[24392]: NOQUEUE: reject: RCPT from CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss]: 554 Service unavailable; Client host [ip.add.re.ss] blocked using combined.njabl.org; Dynamic/Residential IP range listed by N JABL dynablock - http://njabl.org/dynablock.html; from=<> to=<> proto=SMTP helo=<itol.com> Feb 1 13:37:51 admin postfix/smtpd[24392]: disconnect from CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss] The following line also appears, and it's to be fixed this Sunday, due to the way our scripts are written right now for our old server. Feb 1 13:37:48 admin postfix/trivial-rewrite[24395]: warning: do not list domain example.com in BOTH mydestination and virtual_ alias_domains I'm still having issues, again, here's what my spamfriends file looks like (And yes, I've run a postmap on the file, and restarted postfix.) OK OK Thanks, Curt
|
|
|