NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2005-10

Re: A Question About "check_client_access"

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Wed Oct 12 2005 - 16:02:27 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:29 PM 10/12/2005, Rich Shepard wrote:
>Return-Path: <virfmfetojoinme.com>
>X-Original-To: rshepardappl-ecosys.com
>Delivered-To: rshepardappl-ecosys.com
>Received: from 216.99.206.23 (unknown [61.84.170.21])
> by salmo.appl-ecosys.com (Postfix) with SMTP id
> B6FC8DCA
> for <rshepardappl-ecosys.com>; Tue, 11 Oct 2005
> 14:55:47 -0700 (PDT)
...
>smtpd_recipient_restrictions =
> check_client_access
> hash:/etc/postfix/internal_network
> check_sender_access
> hash:/etc/postfix/not_our_domain_as_sender
> reject_non_fqdn_recipient
> reject_non_fqdn_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access
> hash:/etc/postfix/roleaccount_exceptions
> check_recipient_access
> hash:/etc/postfix/recipients
> check_helo_access pcre:/etc/postfix/helo_checks
> reject_non_fqdn_hostname
> reject_invalid_hostname
> check_sender_mx_access
> cidr:/etc/postfix/bogus_mx
> check_sender_access
> hash:/etc/postfix/rhsbl_sender_exceptions
> reject_rhsbl_sender dsn.rfc-ignorant.org
> reject_rbl_client sbl-xbl.spamhaus.org
> reject_rbl_client relays.ordb.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> check_sender_access
> hash:/etc/postfix/common_spam_senderdomains
> check_client_access hash:/etc/postfix/badip

It never gets this far. This particular host is
listed in several of the RBLs you use, so the message
is getting whitelisted before it ever gets to the
badip map, before it gets to the RBL checks.

Check all your maps above the RBL checks - one of them
is giving either client/helo/sender/recipient an OK
response. I'd check the pcre: maps first, but that's
just a hunch. Any map that can possibly give an OK
responses is suspect at this point.
Remember about the search order when you test with
postmap -q, check the access(5) man page for a
refresher. Postmap doesn't do recursive queries, so
you have to do them manually as in:
postmap -q senderhost.example.com sender_map
postmap -q host.example.com sender_map
postmap -q example.com sender_map
postmap -q com sender_map
postmap -q sender sender_map

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]