Re: Whitelisting Redux

From: Jorey Bump (no email)
Date: Tue May 01 2007 - 08:44:51 EDT

  • Next message: Wietse Venema: "PATCH (lost connection with domain while...)"

    Dennis Putnam wrote:
    >
    > On Apr 30, 2007, at 2:15 PM, Jorey Bump wrote:
    >>
    >> I prefer to put my RBLs at the end of smtpd_recipient_restrictions and
    >> exempt anything I need before it (also in
    >> smtpd_recipient_restrictions). I don't change the other
    >> smtpd_*_restrictions from their defaults, but if I did, I'd try to use
    >> them only for obvious rejections. This is a matter of taste. I
    >> typically use this configuration:
    >>
    >> smtpd_recipient_restrictions =
    >> reject_non_fqdn_sender
    >> reject_unlisted_sender
    >> reject_unknown_sender_domain
    >> reject_unknown_recipient_domain
    >> reject_unlisted_recipient
    >> permit_mynetworks
    >> permit_sasl_authenticated
    >> reject_unauth_destination
    >> check_helo_access pcre:/etc/postfix/helo
    >> check_sender_access hash:/etc/postfix/sender
    >> reject_rbl_client rbl1.example.org
    >> reject_rbl_client rbl2.example.net
    >>
    >
    > I took your advice and modified (best I could as it appears you are
    > using v 2.3, I think mine is 2.1) my main.cf to match. Unfortunately the
    > 'check_sender_access' is still not working.

    You are still using smtpd_client_restrictions, though. Note that my
    example uses smtpd_recipient_restrictions. All you should need to do now
    is change this to smtpd_recipient_restrictions:

    > smtpd_client_restrictions = reject_non_fqdn_sender
    > reject_unknown_sender_domain check_sender_access
    > hash:/etc/postfix/sender_whitelist permit_mynetworks
    > permit_sasl_authenticated reject_unauth_destination
    > reject_rbl_client bl.spamcop.net reject_rbl_client
    > dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org
    > reject_rbl_client dnsbl.njabl.org check_client_access
    > hash:/etc/postfix/smtpdreject

    And simply delete or comment out this line:

    > smtpd_recipient_restrictions =
    > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

    You might still have a bit of tweaking to do, but this should give you a
    working configuration. Be especially careful with what you put in your
    whitelist. Rejections are easy to manage, but whitelisting can allow
    unauthorized relaying if done improperly.


  • Next message: Wietse Venema: "PATCH (lost connection with domain while...)"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD