|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 127.0.0.1 (and more) listed in Spamcop, how to avoid?
From: Rob Foehl (rwf
loonybin.net)
Date: Tue Dec 02 2003 - 22:52:20 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 3 Dec 2003, Alain Fauconnet wrote:
> On Tue, Dec 02, 2003 at 11:14:12PM -0500, Rob Foehl wrote:
> > On Wed, 3 Dec 2003, Alain Fauconnet wrote:
> >
> > > > 127.0.0.1 as well as many RFC1918 addresses have been listed in
> > > > Spamcop yesterday. This caused a lot of wrong bounces in mail to my
> > > > users, and a lot of flame in my own e-mail :-}
> > > >
> > > > These should never be listed, of course, but it makes sense that such
> > > > addresses should never be checked against blacklists as well.
> > > >
> > > > What's the proper way to manage this? I think of having 127.0.0.0/8
> > > > and all RFC1918 networks in mynetworks and put permit_mynetworks
> > > > _before_ reject_rbl_client <whatever> in smtpd_recipient_restrictions,
> > > > where it should probably always have been (oops).
> > >
> > > Wait, this doesn't make sense, right? permit_mynetworks checks only
> > > against the IP address of the sender and not the IP addresses
> > > appearing in the 'Received:' headers, right?. That's a sure good
> > > thing, if not it'd be easy to fake headers to let any mail server
> > > relay spam!
> > >
> > > So what would be The Good Way(TM)?
> >
> > permit_mynetworks only tests the client IP address, it has nothing to do
> > with message contents..
>
> Ouch. Need some more coffee today I think. Yes of course, _neither_
> permit_mynetworks (this I knew) _nor_ reject_rbl_client look at the
> 'Received:' headers. They just look at the IP address of the server
> they have the SMTP connection from. And in my case, with the
> Amavisd-new content filtering on ports 10024/10025, Postfix does get
> the connection from 127.0.0.1 when the mail is reinjected.
>
> So it means that _all_ my incoming mail was bounced during that
> period (when 127.0.0.1 was listed). Scary.
If you're using a content filter, your after-filter smtpd config in
master.cf should look something like this:
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o myhostname=localhost
-o mynetworks=127.0.0.0/8
-o smtpd_recipient_restrictions=permit_mynetworks,reject
..plus any other options you might need/want for that smtpd. This avoids
wasting cycles and bandwidth on checks that've already been done by the
first smtpd that handled the mail.
-Rob
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]