NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-07

RE: postmap question reguarding the access file

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Tue Jul 01 2003 - 13:54:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 01:44 PM 7/1/03 -0500, Vernon A. Fort wrote:
>Fair Question....
>
>My smtpd_recipient_restrictions = permit_mynetworks,
> check_helo_access regexp:/etc/postfix/helo_checks,
> check_sender_access hash:/etc/postfix/white_list, (per
> Wietse's
>suggestion!)
> check_sender_access regexp:/etc/postfix/access,
> reject_unauth_destination,
> reject_unauth_pipelining,
> reject_unknown_recipient_domain,
> reject_non_fqdn_recipient,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client proxy.relays.osirusoft.com,
> permit
>
>/etc/postfix/access:
> /Mail\.ParaResearch\.com/ OK
> /mail\.pararesearch\.com/ OK # just in case folding
>
>/etc/postfix/white_list:
> Mail.ParaResearch.com OK
> mail.pararesearch.com OK
>
>Either way, its still rejecting mail from this host:
> Jul 1 13:27:59 provone postfix/smtpd[25063]: connect from
>Mail.ParaResearch.com {66.152.199.245]
> Jul 1 13:27:59 provone postfix/smtpd[25063]: AA8C6BF6:
>client=Mail.ParaResearch.com [66.152.199.245]
> Jul 1 13:27:59 provone postfix/smtpd[25063]: AA8C6BF6: reject:
> RCPT from
>Mail.ParaResearch.com[66.152.199.245]: 550 Service unavailable; Client host
>[66.152.199.245] blocked using list.dsbl.org; http://dsbl.org/listing ip=
>66.152.199.245; from=<vtaylorpararesearch.com>
>to=<vfortprovident-solutions.com> proto=ESMTP
>helo=<paramail.pararesearch.com>
> Jul 1 13:28:02 provone postfix/smtpd[25063]: disconnect from
>Mail.ParaResearch.com [66.152.199.245]
>
>All I am trying to accomplish is to allow this mail throught without
>disabling the list.dsbl.org alltogether. The reject is from the
>list.dsbl.org check which is only under the above smtpd restrictions. Any
>other suggestions?

you're applying a sender check to client data.

use check_client_access instead. Use their IP address instead of the DNS
name to prevent errors in case DNS has failures.

put check_client_access AFTER reject_unauth_destination so that this client
can't use you for a relay.

smtpd_recipient_restrictions =
                         reject_unknown_recipient_domain,
                 permit_mynetworks,
                 reject_unauth_destination,
                 check_helo_access regexp:/etc/postfix/helo_checks,
                 check_client_access hash:/etc/postfix/white_list,
                 check_sender_access regexp:/etc/postfix/access,
                 reject_unauth_pipelining,
                 reject_non_fqdn_recipient,
                 reject_rbl_client list.dsbl.org,
                 reject_rbl_client relays.ordb.org,
                 reject_rbl_client proxy.relays.osirusoft.com,
                 permit

also, reject_unknown_recipient_domain has no effect after
reject_unauth_destination, and won't have much effect after permit_mynetworks.
Either move it above permit_mynetworks if you want to apply this check to
your own users, or remove it.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]