From: Michael Tokarev (mjttls.msk.ru)
Date: Tue Jul 13 2004 - 01:17:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Garrison wrote:
> From main.cf:
>
>> smtpd_recipient_restrictions =
>> reject_unauth_destination,
>> permit_mynetworks,
>> check_helo_access hash:/etc/postfix/check_helo,
>> check_helo_access regexp:/etc/postfix/regexp_helo,
>> check_client_access hash:/etc/postfix/client_whitelist,
>> check_client_access hash:/etc/postfix/check_client,
>> check_client_access regexp:/etc/postfix/check_client.re,
>> check_sender_access hash:/etc/postfix/check_sender,
>> reject_invalid_hostname,
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> reject_unknown_recipient_domain,
>> permit
>
>
> /etc/postfix/client_whitelist (processed into client_whitelist.db
> with "postmap hash:/etc/postfix/client_whitelist":
>
>> .biz.rr.com OK
>> .ded.swbell.net OK

parent_domain_matches_subdomains - remove smtpd_access_maps from the
list (or better, set it to empty string, so that the same subdomain
behaviour will be used in all places). By default, .domain entry isn't
looked up in a map.

> /etc/postfix/check_client.re contains:
>
>> /[0-9]{1,3}[-_.][0-9]{1,3}[-_.].*\.[a-z]{2,}$/ REJECT Access Denied (SPAM rule 12a)
>> /[-_.][0-9]{1,3}[-_.][0-9]{1,3}.*\.[a-z]{2,}$/ REJECT Access Denied (SPAM rule 12b)

Please do a bit more informative in reject text - e.g.
   REJECT Generic Cable/DSL networks should use ISP smarthost (SPAM rule 12a)

Note also you may add the two above entries right here into
the check_client.re map, like:

   /\.biz\.rr\.com$/ DUNNO

> The rules in check_client.re are intended to catch client
> hostnames with typical DHCP rDNS entries used by cable/dsl
> ISPs, which contain nnn-nnn-nnn-nnn.
>
> I specifically want to whitelist the domains listed above,

We're receiving quite some spam from both biz.rr.com and
ded.swbell.com - typical trojaned win machines... ;)

> but those hosts are consistently rejected by rules 12a or
> 12b because they also contain the IP address. For example
> (broken into multiple lines):
>
>> Jul 12 16:33:42 anathema postfix/smtpd[28731]: D1DB210D90: reject:
>
> RCPT from rrcs-sw-24-173-238-134.biz.rr.com[24.173.238.134]:
> 554 <rrcs-sw-24-173-238-134.biz.rr.com[24.173.238.134]>:
> Client host rejected: Access Denied (SPAM rule 12a);
> from=<twzdnumjfaaemail.com> to=<curtisathensgroup.com>
> proto=SMTP helo=<rrcs-sw-24-173-238-134.biz.rr.com>
>
> I've obviously missed something but can't see it.

You missed parent_domain_matches_subdomains (please reread the
check_client_access documentation, the part where it talks about
subdomains), and missed other opportunities, like using the same
check_client.re as both white- and block-list. There's also another
way to organize your check_client.re (pcre this time to show some
more variants):

  # skip IP addresses
  if !/[0-9]$/
  # whitelist
   /\.(?:ded\.swbell\.net|biz\.rr\.com)$/ DUNNO
   # generic cable/dhcp/dsl hostnames
   /(?:[0-9]{1,3}[-_.][0-9]{1,3}[-_.]|[-_.][0-9]{1,3}[-_.][0-9]{1,3})/
      REJECT Access Denied for generic Cable/DSL/DHCP networks (SPAM rule 12b)
  endif

/mjt

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]