Re: Trying to let a "friendly" mail server in and it ain't working....

• Previous message: Sahil Tandon: "Re: Creating a dummy filter"
• Maybe in reply to: Peter L. Berghold: "Trying to let a "friendly" mail server in and it ain't working...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian Evans wrote:
> Peter L. Berghold wrote:
>> Brian Evans - Postfix List wrote:
>>
>>> Without a current 'postconf -n', no one here can tell you.
> [...]
>> relay_domains = bayshoredogclub.org,
>> berghold.net,agilitystewards.org,localhost
>
> No relay_recipient_maps could make you an (out|back)scatter source.
>> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
>> reject_unknown_hostname
>>
>
> The problem comes from reject_unknown_hostname in this case. You don't
> have a check_helo_access map before it to whitelist the client in question.
>

he'd better whitelist the client IP. but reject_unknown_hostname is
known to cause FPs, or at least delay mail in case of temp failures...

>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/access, permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination,
>> reject_unauth_pipelining, reject_non_fqdn_sender,
>> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
>> reject_invalid_hostname, reject_rbl_client blackholes.easynet.nl,
>> reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
>> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
>> opm.blitzed.org, reject_rbl_client dnsbl.njabl.org,
>> reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,
>> permit
>
> BTW, since you are using check_sender_access, this only ever matches
> ENVELOPE sender, never which machine is doing the sending.
> In addition, putting the check BEFORE reject_unauth_destination with an
> OK makes you an open relay for any forged domains in that access file.

and reject_unauth_pipelining is useless here. sounds like a
cut-and-paste from a how[not]to ;-p
>
> Also, opm.blitzed.org and *.dsbl.org are dead, remove those checks to
> save a little overhead and possible false positives in the future.

so is blackholes.easynet.nl.
        http://spamlinks.net/filter-dnsbl-dead.htm

• Previous message: Sahil Tandon: "Re: Creating a dummy filter"
• Maybe in reply to: Peter L. Berghold: "Trying to let a "friendly" mail server in and it ain't working...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]