|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: How come my system rejects mail on a blacklist rule before unknown user?
From: Administrator (admin
runningleopard.com)
Date: Fri May 20 2005 - 13:38:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> From: <jhendricksonprincesscruises.com>
> Date: Fri, 20 May 2005 10:00:47 -0700
> To: <postfix-userspostfix.org>
> Subject: How come my system rejects mail on a blacklist rule before unknown
> user?
>
> I was just doing some traffic reporting and noticed something strange. I
> have entries in my log file that show an email being rejected based on a
> blacklist entry for a mail address that is not valid.
>
> May 20 09:41:03 mail1 postfix/smtpd[57276]: NOQUEUE: reject: RCPT from
> ool-182f31ae.dyn.optonline.net[24.47.49.174]: 554 Service unavailable;
> Client host [24.47.49.174] blocked using dul.dnsbl.sorbs.net; Dynamic IP
> Addresses See: http://www.sorbs.net/lookup.shtml?24.47.49.174;
> from=<0IDG00B8DKWS7Mmta19.srv.hcvlny.cv.net>
> to=<0HUD0087JBTZUNprincesscruises.com> proto=SMTP helo=<jolumx.net>
>
> The appropriate entry in main.cf is:
>
> smtpd_recipient_restrictions =
> check_client_access dbm:/etc/postfix/allowed_clients,
> check_sender_access dbm:/etc/postfix/sender_checks,
> check_client_access dbm:/etc/postfix/internal_client_checks,
> reject_unauth_destination,
> check_recipient_access regexp:/etc/postfix/recipient_checks.regexp,
> check_helo_access dbm:/etc/postfix/helo_checks,
> check_client_access dbm:/etc/postfix/client_checks,
> check_sender_access dbm:/etc/postfix/remote_sender_checks,
> check_sender_access dbm:/etc/postfix/mydomains,
> #reject_unknown_client,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client dul.dnsbl.sorbs.net,
> permit
>
> It was my impression that the "reject_unauth_destination" was the check
> that verified that the recipent address was valid. I do not have
> 0HUD0087JBTZUNprincesscruises.com in my virtual users table.
>
NO!
reject_unauth_destination rejects mail for domains which are not local.
(From the Postfix Docs):
reject_unauth_destination
Reject the request unless one of the following is true:
* Postfix is mail forwarder: the resolved RCPT TO address matches
$relay_domains or a subdomain thereof, and contains no sender-specified
routing (userelsewheredomain),
* Postfix is the final destination: the resolved RCPT TO address
matches $mydestination, $inet_interfaces, $proxy_interfaces,
$virtual_alias_domains, or $virtual_mailbox_domains, and contains no
sender-specified routing (userelsewheredomain).
> For those who are concerned that I do not have a "permit_mynetworks"
> entry, we lock down our users email pretty tight here so I have a couple
> access lists.
>
> allowed_clients is my external ip whitelist, they link to a
> restriction_class that only allows them to send to a list of domains
> internally to prevent relaying.
>
This could (and probably should) go AFTER reject_unauth_destination
> sender_checks is a list of people that are allowed to send email and it
> checks both originating IP (to ensure that the mail was send from a valid
> internal mail server) and sender address is in a valid list.
Is this for internal users?
Perhaps it would be better to use SMTP Auth instead?
>
> internal_client_checks is a list of valid internal mail servers and they
> are allowed to send mail to a pre-approved list of domains.
This all seems kinda more complicated than it needs to be.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]