From: Jorey Bump (listjoreybump.com)
Date: Tue May 01 2007 - 10:10:54 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dennis Putnam wrote:
>
> On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
>>
>> I'm not sure why you're removing permit_sasl_authenticated, but if you
>> don't need it, no harm done.
>
> I thought that was what you suggested I do.

No, I meant for you to change the "smtpd_client_restrictions" entry that
you provided to "smtpd_recipient_restrictions" and remove the redundant
smtpd_recipient_restrictions from your configuration.

>> It appears your whitelist is not being consulted. Be sure to issue a
>> 'postfix reload' after editing main.cf.
>
> I do/did. Why would the white list not be consulted?

It was. The address was wrong.

>> Put permit_sasl_authenticated back before permit_mynetworks in
>> smtpd_recipient_restrictions, if you are using authentication for
>> submission via port 25.
>
> It seems to be working without it but I will. In any case this is not
> effecting the white list is it?

No.

>> daphome.bellsouth.net != dap1bellsouth.net
>
> I missed that detail. I didn't think it used the FROM field since that
> is easily spoofed. The difference is whether the mail originated on a
> Linux box or Windows box. The bad news is that when I add that to my
> white list it still doesn't work.

To be clear, it's using the address provided during MAIL FROM (not the
From: header), and you're right, that's easily spoofed. But if you want
to use check_sender_access, that's what we're talking about, the
envelope sender.

>> If you want to keep things simple, use this in sender_whitelist:
>>
>> bellsouth.net permit_auth_destination

> I don't really want to open it to all but I might have to try that just
> to see if anything can get through. Will that also work if the hostname
> is home.bellsouth.net?

Refer to Email Address Patterns in:

  man 5 access

or:

  http://www.postfix.org/access.5.html

> Actually I need to get this working not just for
> this user but for others as well. I want to make sure it all works and I
> understand it before adding more users. These otherwise legitimate ISPs
> that refuse to take responsibility for spam originating on their
> networks drive me nuts. I have things pretty tight so we get very little
> spam leaking through but there are a few legitimate sources that don't.

Well, I sympathize, but this may be a user issue. They need to complain
to the ISP or switch. Kudos for trying to solve their problem, but you
may be taking on a maintenance headache. Of course, you could move your
RBLs to a scoring system via a policy server or SpamAssassin if they are
causing you too many problems. Using RBLs isn't required, so I guess you
do bear some of the responsibility here.

>> Note that you'll have to put your map *after*
>> reject_unauth_destination if you use the bellsouth.net address for
>> outgoing mail (in which case, you should really use their mail server,
>> instead).
>>
>
> Now I'm confused (as usual). If I send something to dap1bellsouth.net
> it will be rejected? Outgoing mail cannot go to 'bellsouth.net' as that
> does not resolve to an smtp server. I thought postfix looked up the MX
> record for that address instead.

I meant you must do this if you plan to use the bellsouth.net address as
your sender address for outgoing mail. Outgoing mail *to* bellsouth.net
is not affected by this configuration.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]