From: Jorey Bump (listjoreybump.com)
Date: Tue May 01 2007 - 09:06:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dennis Putnam wrote:
> On May 1, 2007, at 8:44 AM, Jorey Bump wrote:
>>
>> And simply delete or comment out this line:
>>
>>> smtpd_recipient_restrictions =
>>> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
>>>
>
> This creates new problems. I thought I understood what these parameters
> did from the documentation but clearly I am not understanding the docs
> at all. If I remove 'permit_mynetworks' then all outgoing mail gets a
> relay denied error. If I remove 'reject_unauth_destination' I get this:
>
> May 1 08:58:20 xserveoda postfix/smtpd[4921]: fatal: parameter
> "smtpd_recipient_restrictions": specify at least one working instance
> of: check_relay_domains, reject_unauth_destination, reject, defer or
> defer_if_permit

Then don't do that. :)

> I guess removing the sasl statement is the only one that doesn't seem to
> cause a problem. However, my problem user is still a problem.

I'm not sure why you're removing permit_sasl_authenticated, but if you
don't need it, no harm done.

> May 1 08:54:35 xserveoda postfix/smtpd[4785]: NOQUEUE: reject: RCPT
> from imf24aec.mail.bellsouth.net[205.152.59.72]: 554 Service
> unavailable; Client host [205.152.59.72] blocked using dnsbl.sorbs.net;
> Spam Received Recently See:
> http://www.sorbs.net/lookup.shtml?205.152.59.72 / Escalated Listing
> (Spam or Spam Support) See:
> http://www.sorbs.net/lookup.shtml?205.152.59.72;
> from=<daphome.bellsouth.net> to=<dennis.putnamaimaudit.com>
> proto=ESMTP helo=<imf24aec.mail.bellsouth.net>

It appears your whitelist is not being consulted. Be sure to issue a
'postfix reload' after editing main.cf.

> Here's a new 'postconf -n':
> smtpd_recipient_restrictions = reject_non_fqdn_sender
> reject_unknown_sender_domain check_sender_access
> hash:/etc/postfix/sender_whitelist permit_mynetworks
> reject_unauth_destination reject_rbl_client bl.spamcop.net
> reject_rbl_client dnsbl.sorbs.net reject_rbl_client
> cbl.abuseat.org reject_rbl_client dnsbl.njabl.org
> check_client_access hash:/etc/postfix/smtpdreject

Okay, looks good.

> smtpd_sasl_auth_enable = yes
> smtpd_tls_key_file =
> smtpd_use_pw_server = yes

Put permit_sasl_authenticated back before permit_mynetworks in
smtpd_recipient_restrictions, if you are using authentication for
submission via port 25.

>> You might still have a bit of tweaking to do, but this should give you
>> a working configuration. Be especially careful with what you put in
>> your whitelist. Rejections are easy to manage, but whitelisting can
>> allow unauthorized relaying if done improperly.
>
> Could you elaborate a little on this? As long as I don't use wildcards
> in my white list, am I not safe? Also, just as a refresher, once again
> here is my current sender_whitelist file:
>
> # This is a list of senders that will be accepted even if the server has
> # been blacklisted.
> #
> # REMEMBER to run 'make' after changes
> #
> dap1bellsouth.net permit_auth_destination

This looks fine. Be sure to run 'postmap sender_whitelist' in
/etc/postfix, and check your log to be sure there are no associated errors.

I've duplicated your configuration (easy, since you've nearly duplicated
mine), and it works for me (my residential IP is in one of the RBLs, and
I can now send from my home computer using the same format you're
using). At this point, you'll need to check your logs for clues, but
I'll save you some searching:

  daphome.bellsouth.net != dap1bellsouth.net

If you want to keep things simple, use this in sender_whitelist:

bellsouth.net permit_auth_destination

That's safe enough, but it means that anyone can bypass the RBL check by
forging the envelope sender address as being from bellsouth.net. Not a
big deal, here, but an example why I avoid whitelists for lower
maintenance solutions. If you're trying to send mail to your server from
a dynamic residential IP *without authentication*, then this is as
appropriate a solution as any other.

Note that you'll have to put your map *after* reject_unauth_destination
if you use the bellsouth.net address for outgoing mail (in which case,
you should really use their mail server, instead).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]