OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Immediate reject without calling policy service

From: elaconta.com Webmaster (webmasterelaconta.com)
Date: Sat Dec 02 2006 - 06:48:22 CST

Hi

I've recently deployed MARBL (http://www.orangegroove.net/code/marbl/)
to perform selective greylisting under Postfix as a policy server, and
it absolutely rocks, giving us all the benefits of greylisting with no
delay for most legitimate senders and about zero false positives.
Now i have my Postfix configuration down cold, i'm into maximum
optimization.
When an email is sent to a non-existent email address in a domain, the
marbl daemon seems to be queried before rejection. Is there any way for
me to rearrange my restrictions so that email to nonexistent addresses
will be rejected outright without having to go through MARBL and
therefore avoiding costly DNS lookups?

A snippet of the logs that seem to confirm MARBL is queried before the
REJECT (an email is sent from jimbojamesgmail.com to a non-existant
email in the elaconta.com domain):

Dec 2 11:23:01 pop postfix/smtpd[35619]: connect from
ug-out-1314.google.com[66.249.92.174]
Dec 2 11:23:02 pop marbl: Action for 66.249.92.174
(jimbojamesgmail.com => nonexistantelaconta.com): dunno
Dec 2 11:23:02 pop postfix/smtpd[35619]: NOQUEUE: reject: RCPT from
ug-out-1314.google.com[66.249.92.174]: 550 <nonexistantelaconta.com>:
Recipient address rejected: User unknown in virtual mailbox table;
from=<jimbojamesgmail.com> to=<nonexistantelaconta.com> proto=ESMTP
helo=<ug-out-1314.google.com>
Dec 2 11:23:02 pop postfix/smtpd[35619]: disconnect from
ug-out-1314.google.com[66.249.92.174]

My restrictions are set as:

smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10031

smtpd_helo_restrictions = reject_invalid_hostname

smtpd_sender_restrictions = permit_mynetworks,
                                reject_non_fqdn_sender,
                                reject_unknown_sender_domain,
                                reject_sender_login_mismatch,
                                permit_sasl_authenticated

smtpd_recipient_restrictions = permit_mynetworks,
                                check_sender_access
hash:/usr/local/etc/postfix/spammer,
                                permit_sasl_authenticated,
                                reject_non_fqdn_sender,
                                reject_non_fqdn_recipient,
                                reject_unknown_recipient_domain,
                                check_helo_access
hash:/usr/local/etc/postfix/helo_checks,
                                reject_unauth_destination,
                                reject_spf_invalid_sender,
                                reject_rbl_client sbl-xbl.spamhaus.org,
                                check_policy_service inet:127.0.0.1:2552

smtpd_data_restrictions = reject_unauth_pipelining

The policy service running at 127.0.0.1:2552 is MARBL. If MARBL returns
a "greylist" response, it will "summon" the greylisting policy daemon
running at 127.0.0.1:10031

--------------------------------------
Elaconta.com Webmaster
--------------------------------------