|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Looking to bypass blackhole lists for certain users
From: Curt LeCaptain (lecaptainc
infinitytechnology.com)
Date: Thu Feb 01 2007 - 13:44:09 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
From: owner-postfix-userspostfix.org
[mailto:owner-postfix-userspostfix.org] On Behalf Of Noel Jones
Sent: Thursday, February 01, 2007 12:04 PM
To: postfix-userspostfix.org
Subject: RE: Looking to bypass blackhole lists for certain users
At 11:24 AM 2/1/2007, Curt LeCaptain wrote:
>Alright, here's my next question, then.
>
>Here's my fixed edition:
>
>smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/spamfriends
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
>When I test from an IP address I know gets blocked by
>combined.njabl.org to the rcpt to:<userexample.com>, I'm still being
>rejected by the blackhole list, as if it's ignoring the OK. Am I
>missing something more?
You need to do it like so:
smtpd_recipient_restrictions =
# first, permit authorized relaying
permit_mynetworks
permit_sasl_authenticated
check_client_access hash:/etc/postfix/pop-before-smtp # prevent
anyone else from relaying
reject_unauth_destination
# whitelist buddies. Note it's generally preferred to whitelist # by
client IP rather than sender mail address
check_sender_access hash:/etc/postfix/spamfriends
check_client_access hash:/etc/postfix/client_whitelist
# UCE controls applied to everyone else
reject_non_fqdn_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_rbl_client combined.njabl.org
reject_rbl_client bl.spamcop.net
reject_rbl_client list.dsbl.org
reject_rbl_client zen.spamhaus.org
permit
Note: it's generally unwise to use "reject_unknown_recipient_domain"
on a general purpose MTA - all it can possibly do here is reject your
own mail if your DNS has a hiccup. It's intended to be used on an MSA
*before* permit_mynetworks and friends to prevent local users from
sending to invalid domains - even then it might not work well as some
MUA's give rather cryptic error messages when a submission is rejected.
Note2: reject_unauth_pipelining is not effective in
smtpd_recipient_restrictions. Use it in smtpd_data_restrictions
instead.
If you still can't get this to work, show "postconf -n" output and the
log entry showing the rejection.
--
Noel Jones
Postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
disable_dns_lookups = no
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$virtual_mailbox_domains
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -f- -a "$USER"
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = /etc/postfix/networks
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $mydestination
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_unknown_hostname
reject_invalid_hostname reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated check_client_access
hash:/etc/postfix/pop-before-smtp reject_unauth_destination
check_sender_access hash:/etc/postfix/spamfriends
reject_non_fqdn_hostname reject_non_fqdn_sender
reject_non_fqdn_recipient reject_unknown_sender_domain
check_sender_access hash:/etc/postfix/spamfriends reject_rbl_client
combined.njabl.org reject_rbl_client bl.spamcop.net
reject_rbl_client list.dsbl.org reject_rbl_client zen.spamhaus.org
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
check_sender_access hash:/etc/postfix/spammers reject_non_fqdn_sender
smtpd_use_tls = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = /etc/postfix/domains
virtual_alias_maps = hash:/etc/postfix/virtual
Log Entry:
Feb 1 13:37:36 admin postfix/smtpd[24392]: connect from
CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss]
Feb 1 13:37:48 admin postfix/smtpd[24392]: NOQUEUE: reject: RCPT from
CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss]: 554
Service unavailable; Client host [ip.add.re.ss] blocked using
combined.njabl.org; Dynamic/Residential IP range listed by N
JABL dynablock - http://njabl.org/dynablock.html;
from=<curtlecaptain.org> to=<nfelditol.com> proto=SMTP helo=<itol.com>
Feb 1 13:37:51 admin postfix/smtpd[24392]: disconnect from
CPE-ip-add-re-ss.new.res.rr.com[ip.add.re.ss]
The following line also appears, and it's to be fixed this Sunday, due
to the way our scripts are written right now for our old server.
Feb 1 13:37:48 admin postfix/trivial-rewrite[24395]: warning: do not
list domain example.com in BOTH mydestination and virtual_
alias_domains
I'm still having issues, again, here's what my spamfriends file looks
like (And yes, I've run a postmap on the file, and restarted postfix.)
user1example.com OK
user2example.com OK
Thanks,
Curt
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]