|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: D. Walsh (info
daleenterprise.com)
Date: Mon Oct 01 2007 - 19:40:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Oct 1, 2007, at 24:04:20, mouss wrote:
> D. Walsh wrote:
>>
>> On Sep 30, 2007, at 14:34:36, mouss wrote:
>>
>>> D. Walsh wrote:
>>>> After updating 2.1.5 to 2.4.5 and getting things configured it
>>>> was time
>>>> for some live tests, smtpd_client_restrictions &
>>>> smtpd_recipient_restrictions entries for the rbl's aren't working
>>>> meaning they don't perform their intended task and fail.
>>>>
>>>> I checked and copied the settings from the working server running
>>>> postfix 2.1.5 but still no joy and going back to even older
>>>> configs, the
>>>> entries look the same but I tried them anyways and still no love
>>>> there
>>>> either.
>>>>
>>>> Thinking that maybe some weird character got inserted during the
>>>> copy I
>>>> manually entered the information but still no joy.
>>>>
>>>> Then decided to look at postfix.org for perhaps an API change, nope
>>>> 'http://www.postfix.org/uce.html#smtpd_sender_restrictions'
>>>> shows that
>>>> my entries are in the correct format (reject_rhsbl_sender
>>>> domain.tld) so
>>>> Im not sure what the issue is.
>>>>
>>>> Next I installed the old version of postfix just to ensure that it
>>>> wasn't a system or dns configuration issue and things work so
>>>> that has
>>>> been ruled out and I'm not sure where to go from here.
>>
>>> without logs, it is hard to guess what is not working.
>>
>>>>
>>>> Here are the settings.
>>>> _________________________________
>>>>
>>>> smtpd_client_restrictions =
>>>> reject_rbl_client bl.spamcop.net,
>>>> reject_rbl_client cbl.abuseat.org,
>>
>>> This one is included in zen.spamhaus.org
>>
>>>> reject_rbl_client dnsbl.ahbl.org,
>>>> reject_rbl_client multi.surbl.org,
>>
>>> I'm not sure this has any use here.
>>
>>>> reject_rbl_client postmaster.rfc-ignorant.org,
>>
>>> I guess you don't want mail from hotmail.com, ...
>>
>>
>>>> reject_rbl_client zen.spamhaus.org,
>>>> reject_rhsbl_client rhsbl.sorbs.net,
>>>> reject_rhsbl_client bogusmx.rfc-ignorant.org,
>>>> reject_rhsbl_client dsn.rfc-ignorant.org,
>>
>>
>>>> permit_mynetworks,
>>
>>> so you check your own IPs in DNSBL? It is common to put this at
>>> the top,
>>> so as to whitelist your IPs. Otherwise, if your DNS gets poisoned,
>>> you'll block mail...
>>
>>>> permit
>>>>
>>>> smtpd_recipient_restrictions =
>>>> permit_mynetworks,
>>>> permit_sasl_authenticated,
>>
>>> move reject_unauth_destination to here. no point to do any checks
>>> if it
>>> is a relay attempt.
>>
>>>> reject_invalid_hostname,
>>>> reject_non_fqdn_sender,
>>>> reject_non_fqdn_recipient,
>>>> reject_unknown_sender_domain,
>>>> reject_unknown_recipient_domain,
>>
>>> the recipient domain is one of your domains. no need to check it
>>> in DNS.
>>
>>>> reject_unauth_destination,
>>>> reject_rhsbl_sender zen.spamhaus.org,
>>>> reject_rhsbl_sender rhsbl.sorbs.net,
>>>> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
>>>> reject_rhsbl_sender dsn.rfc-ignorant.org,
>>>> permit
>>>> _________________________________
>>
>>> you are repeating checks. consider putting all checks under
>>> smtpd_recipient_restrictions.
>>
>> Now I'm confused, what checks am I repeating?
>
> all smtpd_*_restrictions are checked. a permit in
> smtpd_client_restrictions doesn't override
> smtpd_recipient_restrictions.
>
>
>>
>> If I understand you correctly I just place the client and sender
>> rejects
>> in smtpd_recipient_restrictions but, doesn't that allow my users
>> to send
>> mail to the places I reject because checks are not done?
>>
>> The new config based on your instructions:
>>
>> smtpd_client_restrictions =
>> permit_mynetworks,
>> permit
>
> just remove these.
>
>>
>> smtpd_recipient_restrictions =
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> reject_invalid_hostname,
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> reject_unknown_sender_domain,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client dnsbl.ahbl.org,
>> reject_rbl_client postmaster.rfc-ignorant.org,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rhsbl_sender zen.spamhaus.org,
>> reject_rhsbl_sender rhsbl.sorbs.net,
>> reject_rhsbl_sender bogusmx.rfc-ignorant.org,
>> reject_rhsbl_sender dsn.rfc-ignorant.org,
>> permit
>>
>
> make sure the policies of the DNSBLs you use match your site
> policy. In
> particular, rfc-ignorant is probably unsafe here (it's more
> appropriate
> in spamassassin...).
OK, your suggested configuration seems to work significantly cleaner
and faster, times are down from 2,000-6,000 ms to less than 300 ms
(includes time in amavisd-new content filter) so a lot can be said
about configuration options and order.
While this works great with postfix 2.3+, I've not been successful in
getting postfix-2.1.5 to perform smtp auth, it doesn't have the
smtpd_sasl_path option so I'm not sure how to get it to perform the
auth and the documentation I can find on the postfix site doesn't
show any examples of a configuration using dovecot with anything
under postfix-2.3.
I don't use pam and I am using the the private/auth socket as
configured in dovecot, suggestion? ( reason is easier to provide a
configuration that will work with the vendor supplied posfix because
some are anal about installing a second installation of software
already provided and I'd like to do it for the sake of proving it can
be done.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
iD8DBQFHAZOTgKKwRgpESgMRAgx0AKCQv3eSbOXC2CREbQsEXXZdQ8/cFACeKpfP
yYnEPAKnbmToNKOnA8dWtQo=
=QLNY
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]