|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Looking to bypass blackhole lists for certain users
From: Curt LeCaptain (lecaptainc
infinitytechnology.com)
Date: Thu Feb 01 2007 - 11:24:00 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
From: owner-postfix-userspostfix.org
[mailto:owner-postfix-userspostfix.org] On Behalf Of Sheldon T. Hall
Sent: Thursday, February 01, 2007 11:17 AM
To: postfix-userspostfix.org
Subject: RE: Looking to bypass blackhole lists for certain users
Quoth Curt LeCaptain ...
> Here's what I'm looking at doing:
>
> For specific addresses on the server, I'd like to have anyone be able
> to send mail to them and bypass blackhole list checks. My assumption
> (it may be wrong, is the following config for
> smtpd_recipient_restrictions
>
> smtpd_recipient_restrictions = permit_mynetworks
> check_sender_access = hash:/etc/postfix/spamfriends <-----Line
> in question
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
> My spamfriends hash table is the following:
>
> userexample.com OK
> user2example.com OK
That makes you an open relay for anyone _claiming_ to be one of the
senders in your spamfriends whitelist.
It would be better to minimize the potential damage by putting
"check_sender_access = hash:/etc/postfix/spamfriends" immediately before
your first blacklist, after all the other checks. In any case, be sure
to have "reject_unauth_destination" before your whitelist.
-Shel
Alright, here's my next question, then.
Here's my fixed edition:
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_pipelining
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject_unauth_destination
check_sender_access hash:/etc/postfix/spamfriends
reject_rbl_client combined.njabl.org
reject_rbl_client bl.spamcop.net
reject_rbl_client list.dsbl.org
reject_rbl_client zen.spamhaus.org
permit
When I test from an IP address I know gets blocked by combined.njabl.org
to the rcpt to:<userexample.com>, I'm still being rejected by the
blackhole list, as if it's ignoring the OK. Am I missing something
more?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]