|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: MacShane, Tracy (Tracy.Macshane
AirservicesAustralia.com)
Date: Wed Oct 10 2007 - 02:20:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In line with some of the suggestions made about simplifying maintenance
of smtpd restrictions, I've moved all of our header checks into
smtpd_recipient_restrictions. Unfortunately, while checking everything
else at each change, I neglected to check address verification, which we
have set up for a couple of domains (gmail.com being the most notable),
per the instructions at Postfix.org.
The whole point of implementing the address verification was to allow
certain domains which don't spam us (yet) to bypass the RBL - perhaps
I'm barking up the wrong tree by assuming that the address verification
effectively gives an OK at the end of the process, but it appeared to be
working fine with the old config, both the actual verifications (and the
verify map filling up), and the the RBL not being triggered (although
perhaps we just had a lucky run with unblocked hosts). The verify map
still exists, and contains the test address.
While I could revert to an old copy of the main.cf, I'm just hoping
someone can point my current configuration and say "duh!" so I don't
have to start again.
The Postfix version is 2.2.10 on RHEL4.
Current smtpd_recipient_restrictions:
unverified_sender_reject_code = 550
address_verify_map = btree:/var/postfix/verify
smtpd_helo_required = yes
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_pipelining,
reject_multi_recipient_bounce
reject_non_fqdn_sender,
reject_unauth_destination,
reject_invalid_hostname,
check_sender_access hash:/etc/postfix/sender_access,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
check_client_access cidr:/etc/postfix/cidr_client_access,
check_client_access hash:/etc/postfix/client_access,
reject_unknown_hostname,
check_sender_access hash:/etc/postfix/sender_bypass,
reject_unknown_sender_domain,
check_recipient_access pcre:/etc/postfix/recipient_access,
# check_client_access pcre:/etc/postfix/tpg_map,
reject_rbl_client ASP...r.mail-abuse.com,
reject_rbl_client ASP...q.mail-abuse.com # check_sender_access
hash:/etc/postfix/spf_bypass # check_policy_service
unix:private/policy,
smtpd_timeout = 60
smtpd_recipient_limit = 500
############
Contents of sender_access:
# gmail address verification
gmail.com REJECT_UNVERIFIED_SENDER
domain1.com OK
hostname.thales OK
virginblue.internal OK
....
############
I tried the same entry in "sender_bypass", which was mainly used for
bypassing the RBL, but which I might merge into sender_access, which
made no difference. Is one masking the other, perhaps?
Verbose logging is attached showing the gmail transaction - the address
verification flag is found, but I can't figure out why it's apparently
not used (no lookup to /var/postfix/verify?)
- text/plain attachment: log.txt
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]