NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-10

Re: Address verification issues

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Wed Oct 10 2007 - 09:35:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:20 AM 10/10/2007, MacShane, Tracy wrote:
>Unfortunately, while checking everything
>else at each, I neglected to check address verification, which we
>have set up for a couple of domains (gmail.com being the most notable),
>per the instructions at Postfix.org.
>
>The whole point of implementing the address verification was to allow
>certain domains which don't spam us (yet) to bypass the RBL - perhaps
>I'm barking up the wrong tree by assuming that the address verification
>effectively gives an OK at the end of the process, but it appeared to be
>working fine with the old config, both the actual verifications (and the
>verify map filling up), and the the RBL not being triggered (although
>perhaps we just had a lucky run with unblocked hosts). The verify map
>still exists, and contains the test address.

reject_unverified_{sender, recipient} can only return DUNNO or
REJECT, never OK. As such, this cannot be used as a whitelisting tool.

You could use a restriction class with
reject_unverified_sender
permit
as the defined actions.

But probably better to use a check_client_access whitelist and forget
about sender verification.

>smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> permit_mynetworks,
> reject_unauth_pipelining,

reject_unauth_pipelining is not effective here, put it under
smtpd_data_restrictions instead.

> reject_multi_recipient_bounce

This doesn't reject much in the way of spam, but may reject legit
mail. Its value is questionable...

> reject_non_fqdn_sender,
> reject_unauth_destination,

This is a good place (ie. just after reject_unauth_destination) for a
whitelist.
check_client_access hash:/etc/postfix/client_whitelist

> reject_invalid_hostname,
> check_sender_access hash:/etc/postfix/sender_access,
> check_helo_access hash:/etc/postfix/helo_access,
> reject_non_fqdn_hostname,
> check_client_access cidr:/etc/postfix/cidr_client_access,
> check_client_access hash:/etc/postfix/client_access,
> reject_unknown_hostname,

the above is likely to reject legit mail.

> check_sender_access hash:/etc/postfix/sender_bypass,

It's generally better to whitelist clients rather than sender
domains, since senders are easily and frequently forged.

> reject_unknown_sender_domain,
> check_recipient_access pcre:/etc/postfix/recipient_access,
># check_client_access pcre:/etc/postfix/tpg_map,
> reject_rbl_client ASP...r.mail-abuse.com,
> reject_rbl_client ASP...q.mail-abuse.com # check_sender_access
>hash:/etc/postfix/spf_bypass # check_policy_service
>unix:private/policy,

Postfix doesn't allow in-line comments or the reject_rbl_client
syntax as shown above - I hope this is just your way of annotating
your list posting and not actually in your main.cf.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]