From: mouss (no email)
Date: Mon Oct 01 2007 - 00:04:20 EDT
D. Walsh wrote:
>
> On Sep 30, 2007, at 14:34:36, mouss wrote:
>
>> D. Walsh wrote:
>>> After updating 2.1.5 to 2.4.5 and getting things configured it was time
>>> for some live tests, smtpd_client_restrictions &
>>> smtpd_recipient_restrictions entries for the rbl's aren't working
>>> meaning they don't perform their intended task and fail.
>>>
>>> I checked and copied the settings from the working server running
>>> postfix 2.1.5 but still no joy and going back to even older configs, the
>>> entries look the same but I tried them anyways and still no love there
>>> either.
>>>
>>> Thinking that maybe some weird character got inserted during the copy I
>>> manually entered the information but still no joy.
>>>
>>> Then decided to look at postfix.org for perhaps an API change, nope
>>> 'http://www.postfix.org/uce.html#smtpd_sender_restrictions' shows that
>>> my entries are in the correct format (reject_rhsbl_sender domain.tld) so
>>> Im not sure what the issue is.
>>>
>>> Next I installed the old version of postfix just to ensure that it
>>> wasn't a system or dns configuration issue and things work so that has
>>> been ruled out and I'm not sure where to go from here.
>
>> without logs, it is hard to guess what is not working.
>
>>>
>>> Here are the settings.
>>> _________________________________
>>>
>>> smtpd_client_restrictions =
>>> reject_rbl_client bl.spamcop.net,
>>> reject_rbl_client cbl.abuseat.org,
>
>> This one is included in zen.spamhaus.org
>
>>> reject_rbl_client dnsbl.ahbl.org,
>>> reject_rbl_client multi.surbl.org,
>
>> I'm not sure this has any use here.
>
>>> reject_rbl_client postmaster.rfc-ignorant.org,
>
>> I guess you don't want mail from hotmail.com, ...
>
>
>>> reject_rbl_client zen.spamhaus.org,
>>> reject_rhsbl_client rhsbl.sorbs.net,
>>> reject_rhsbl_client bogusmx.rfc-ignorant.org,
>>> reject_rhsbl_client dsn.rfc-ignorant.org,
>
>
>>> permit_mynetworks,
>
>> so you check your own IPs in DNSBL? It is common to put this at the top,
>> so as to whitelist your IPs. Otherwise, if your DNS gets poisoned,
>> you'll block mail...
>
>>> permit
>>>
>>> smtpd_recipient_restrictions =
>>> permit_mynetworks,
>>> permit_sasl_authenticated,
>
>> move reject_unauth_destination to here. no point to do any checks if it
>> is a relay attempt.
>
>>> reject_invalid_hostname,
>>> reject_non_fqdn_sender,
>>> reject_non_fqdn_recipient,
>>> reject_unknown_sender_domain,
>>> reject_unknown_recipient_domain,
>
>> the recipient domain is one of your domains. no need to check it in DNS.
>
>>> reject_unauth_destination,
>>> reject_rhsbl_sender zen.spamhaus.org,
>>> reject_rhsbl_sender rhsbl.sorbs.net,
>>> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
>>> reject_rhsbl_sender dsn.rfc-ignorant.org,
>>> permit
>>> _________________________________
>
>> you are repeating checks. consider putting all checks under
>> smtpd_recipient_restrictions.
>
> Now I'm confused, what checks am I repeating?
all smtpd_*_restrictions are checked. a permit in
smtpd_client_restrictions doesn't override smtpd_recipient_restrictions.
>
> If I understand you correctly I just place the client and sender rejects
> in smtpd_recipient_restrictions but, doesn't that allow my users to send
> mail to the places I reject because checks are not done?
>
> The new config based on your instructions:
>
> smtpd_client_restrictions =
> permit_mynetworks,
> permit
just remove these.
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client dnsbl.ahbl.org,
> reject_rbl_client postmaster.rfc-ignorant.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_sender zen.spamhaus.org,
> reject_rhsbl_sender rhsbl.sorbs.net,
> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
> reject_rhsbl_sender dsn.rfc-ignorant.org,
> permit
>
make sure the policies of the DNSBLs you use match your site policy. In
particular, rfc-ignorant is probably unsafe here (it's more appropriate
in spamassassin...).
|
|
|