|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: smtpd_client_restrictions and reject_rbl_client not working
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Mon Aug 21 2006 - 19:53:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Monday 21 August 2006 19:30, LeVA wrote:
> smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net
You might want to reconsider this. Sbl-xbl.spamhaus.org. is far more
effective and safer. SORBS should generally only be used in a scoring
system (policyd-weight or SpamAssassin, perhaps.) SORBS is a bit more
aggressive, and has some controversial listing and delisting policies.
> I thought that this rather simple restriction would check if the
> connected ip is in the sorbs' blacklist. The documentation says:
> "smtpd_client_restrictions: Optional SMTP server access restrictions
> in the context of a client SMTP connection request."
Yes, it does this via a DNS query. For client IP w.x.y.z, it does a
lookup of "z.y.x.w.dnsbl.sorbs.net."
> But if I connect to postfix from a remote host while I'm tcpdumping
> on the server (checking the dnsbl.sorbs.net's all ips) I see no
> connection to the sorbs server. I just wanted to know if the above
> restriction is working or not, and can't think of an other way to
> test it.
tcpdump, is it looking at UDP packets? Most DNS queries are UDP. Also,
Postfix is not going to be the process reaching out to SORBS NS; that
would be your nameserver. If you're not running your own nameserver,
you will not go to SORBS at all, you will consult with nameservers
listed in your resolv.conf file.
> Is this a bad config, or is there another way to test if postfix
> checks the sorbs database?
Verbose logging would verify that it's working.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]