NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-02

RE: Looking to bypass blackhole lists for certain users

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Thu Feb 01 2007 - 12:03:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:24 AM 2/1/2007, Curt LeCaptain wrote:
>Alright, here's my next question, then.
>
>Here's my fixed edition:
>
>smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/spamfriends
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
>When I test from an IP address I know gets blocked by combined.njabl.org
>to the rcpt to:<userexample.com>, I'm still being rejected by the
>blackhole list, as if it's ignoring the OK. Am I missing something
>more?

You need to do it like so:
smtpd_recipient_restrictions =
# first, permit authorized relaying
   permit_mynetworks
   permit_sasl_authenticated
   check_client_access hash:/etc/postfix/pop-before-smtp
# prevent anyone else from relaying
   reject_unauth_destination
# whitelist buddies. Note it's generally preferred to whitelist
# by client IP rather than sender mail address
   check_sender_access hash:/etc/postfix/spamfriends
   check_client_access hash:/etc/postfix/client_whitelist
# UCE controls applied to everyone else
       reject_non_fqdn_hostname
       reject_non_fqdn_sender
       reject_non_fqdn_recipient
       reject_unknown_sender_domain
       reject_rbl_client combined.njabl.org
       reject_rbl_client bl.spamcop.net
       reject_rbl_client list.dsbl.org
       reject_rbl_client zen.spamhaus.org
       permit

Note: it's generally unwise to use "reject_unknown_recipient_domain"
on a general purpose MTA - all it can possibly do here is reject your
own mail if your DNS has a hiccup. It's intended to be used on an
MSA *before* permit_mynetworks and friends to prevent local users
from sending to invalid domains - even then it might not work well as
some MUA's give rather cryptic error messages when a submission is rejected.

Note2: reject_unauth_pipelining is not effective in
smtpd_recipient_restrictions. Use it in smtpd_data_restrictions instead.

If you still can't get this to work, show "postconf -n" output and
the log entry showing the rejection.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]