NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-02

RE: Looking to bypass blackhole lists for certain users

From: Sheldon T. Hall (pftandem.artell.net)
Date: Thu Feb 01 2007 - 11:51:06 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Saith Curt LeCaptain ...

> Alright, here's my next question, then.
>
> Here's my fixed edition:
>
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/spamfriends
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
> When I test from an IP address I know gets blocked by
> combined.njabl.org
> to the rcpt to:<userexample.com>, I'm still being rejected by the
> blackhole list, as if it's ignoring the OK. Am I missing something
> more?

I thought you wanted to whitelist _senders_ ... if that's the case, a reject
from "an IP address I know gets blocked by
combined.njabl.org to the rcpt to:<userexample.com>" doesn't specify the
right test criteria. You haven't tested the whitelisted _sender_, or at
least haven't indicated that you have in that statement.

FWIW, I do the same thing:

smtpd_recipient_restrictions = permit_mynetworks
        reject_unlisted_recipient
        reject_unauth_destination
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_unknown_sender_domain
        check_sender_access dbm:/etc/postfix/tables/whitelist
        check_sender_access dbm:/etc/postfix/tables/blacklist
        ...
        check_client_access dbm:/etc/postfix/tables/client_whitelist
        check_client_access cidr:/etc/postfix/tables/private_RBL
        check_client_access regexp:/etc/postfix/tables/client_checks
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
         reject_rbl_client combined.njabl.org
        reject_rbl_client dnsbl.ahbl.org
        permit

... where whitelist and blacklist are hash tables of sender addresses,
client_whitelist is a table of client domains by name, private_RBL is a CIDR
list of networks that have allowed their users to spam us but aren't on a
blacklist we use, and client_checks has regexes that spot dial-up/dsl/cable
clients who shouldn't be mailing us directly.

So, I know it can work.

Did you forget to postmap your spamfriends file?

-Shel

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]