- Previous message: mouss: "Re: Setting up to send mail"
- In reply to: Jorey Bump: "Re: Whitelisting Redux"
- Next in thread: Jorey Bump: "Re: Whitelisting Redux"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Dennis Putnam (no email)
Date: Tue May 01 2007 - 10:49:47 EDT
On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
>
>
> Then don't do that. :)
:-)
>
> I'm not sure why you're removing permit_sasl_authenticated, but if
> you don't need it, no harm done.
I thought that was what you suggested I do.
>
> It appears your whitelist is not being consulted. Be sure to issue
> a 'postfix reload' after editing main.cf.
I do/did. Why would the white list not be consulted?
>
> Okay, looks good.
Except it doesn't work. :-)
>
> Put permit_sasl_authenticated back before permit_mynetworks in
> smtpd_recipient_restrictions, if you are using authentication for
> submission via port 25.
It seems to be working without it but I will. In any case this is not
effecting the white list is it?
>
> This looks fine. Be sure to run 'postmap sender_whitelist' in /etc/
> postfix, and check your log to be sure there are no associated errors.
Done.
>
> I've duplicated your configuration (easy, since you've nearly
> duplicated mine), and it works for me (my residential IP is in one
> of the RBLs, and I can now send from my home computer using the
> same format you're using). At this point, you'll need to check your
> logs for clues, but I'll save you some searching:
>
> !=
I missed that detail. I didn't think it used the FROM field since
that is easily spoofed. The difference is whether the mail originated
on a Linux box or Windows box. The bad news is that when I add that
to my white list it still doesn't work.
>
> If you want to keep things simple, use this in sender_whitelist:
>
> bellsouth.net permit_auth_destination
>
> That's safe enough, but it means that anyone can bypass the RBL
> check by forging the envelope sender address as being from
> bellsouth.net. Not a big deal, here, but an example why I avoid
> whitelists for lower maintenance solutions. If you're trying to
> send mail to your server from a dynamic residential IP *without
> authentication*, then this is as appropriate a solution as any other.
I don't really want to open it to all but I might have to try that
just to see if anything can get through. Will that also work if the
hostname is home.bellsouth.net? Actually I need to get this working
not just for this user but for others as well. I want to make sure it
all works and I understand it before adding more users. These
otherwise legitimate ISPs that refuse to take responsibility for spam
originating on their networks drive me nuts. I have things pretty
tight so we get very little spam leaking through but there are a few
legitimate sources that don't.
>
> Note that you'll have to put your map *after*
> reject_unauth_destination if you use the bellsouth.net address for
> outgoing mail (in which case, you should really use their mail
> server, instead).
>
Now I'm confused (as usual). If I send something to
it will be rejected? Outgoing mail cannot go to
'bellsouth.net' as that does not resolve to an smtp server. I thought
postfix looked up the MX record for that address instead.
|
|
|