From: Dennis Putnam (dennis.putnamaimaudit.com)
Date: Tue May 01 2007 - 09:49:47 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
>
>
> Then don't do that. :)

:-)

>
> I'm not sure why you're removing permit_sasl_authenticated, but if
> you don't need it, no harm done.

I thought that was what you suggested I do.

>
> It appears your whitelist is not being consulted. Be sure to issue
> a 'postfix reload' after editing main.cf.

I do/did. Why would the white list not be consulted?

>
> Okay, looks good.

Except it doesn't work. :-)

>
> Put permit_sasl_authenticated back before permit_mynetworks in
> smtpd_recipient_restrictions, if you are using authentication for
> submission via port 25.

It seems to be working without it but I will. In any case this is not
effecting the white list is it?

>
> This looks fine. Be sure to run 'postmap sender_whitelist' in /etc/
> postfix, and check your log to be sure there are no associated errors.

Done.

>
> I've duplicated your configuration (easy, since you've nearly
> duplicated mine), and it works for me (my residential IP is in one
> of the RBLs, and I can now send from my home computer using the
> same format you're using). At this point, you'll need to check your
> logs for clues, but I'll save you some searching:
>
> daphome.bellsouth.net != dap1bellsouth.net

I missed that detail. I didn't think it used the FROM field since
that is easily spoofed. The difference is whether the mail originated
on a Linux box or Windows box. The bad news is that when I add that
to my white list it still doesn't work.

>
> If you want to keep things simple, use this in sender_whitelist:
>
> bellsouth.net permit_auth_destination
>
> That's safe enough, but it means that anyone can bypass the RBL
> check by forging the envelope sender address as being from
> bellsouth.net. Not a big deal, here, but an example why I avoid
> whitelists for lower maintenance solutions. If you're trying to
> send mail to your server from a dynamic residential IP *without
> authentication*, then this is as appropriate a solution as any other.

I don't really want to open it to all but I might have to try that
just to see if anything can get through. Will that also work if the
hostname is home.bellsouth.net? Actually I need to get this working
not just for this user but for others as well. I want to make sure it
all works and I understand it before adding more users. These
otherwise legitimate ISPs that refuse to take responsibility for spam
originating on their networks drive me nuts. I have things pretty
tight so we get very little spam leaking through but there are a few
legitimate sources that don't.

>
> Note that you'll have to put your map *after*
> reject_unauth_destination if you use the bellsouth.net address for
> outgoing mail (in which case, you should really use their mail
> server, instead).
>

Now I'm confused (as usual). If I send something to
dap1bellsouth.net it will be rejected? Outgoing mail cannot go to
'bellsouth.net' as that does not resolve to an smtp server. I thought
postfix looked up the MX record for that address instead.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]