OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Better Use Of RBLs?

From: Eray Aslan (eray.aslancaf.com.tr)
Date: Thu Apr 10 2008 - 23:47:19 CDT

On 11.04.2008 07:32, John Evans wrote:
> I use a handful of checks on the IPs/hosts that connect to my mail
> server. I thought that some of the checks were happening right at the
> start of the SMTP conversation, but my assumptions were proven wrong
> tonight when I was testing my mail server by hand from my home DSL
> connection. My RBL checks are not kicking in until after the RCPT phase,
> and I would like them to do their thing before this happens. I basically
> want to allow mynetworks, sasl_authenticated, and then start blocking
> based on IP/host as soon as possible.

http://www.postfix.org/postconf.5.html#smtpd_delay_reject

--
Eray

> First the vitals:
> Postfix 2.5.1
>
> postconf -n:
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> delay_warning_time = 4h
> home_mailbox = Maildir/
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> message_size_limit = 20480000
> mydestination = kilnar localhost localhost.localdomain
> kilnar.com lauremor.com beosig.net jtevans.net
> nathantyler.net
> myhostname = kilnar.com
> mynetworks = 127.0.0.0/8 165.236.99.189
> myorigin = /etc/mailname
> proxy_read_maps = $local_recipient_maps $mydestination
> $relay_recipient_maps $relay_domains $canonical_maps
> $sender_canonical_maps $recipient_canonical_maps $relocated_maps
> $transport_maps $mynetworks
> readme_directory = /usr/share/doc/postfix
> receive_override_options = no_address_mappings
> recipient_delimiter = -
> relayhost = smtp_tls_session_cache_database =
> btree:${queue_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_restrictions = permit_mynetworks
> permit_sasl_authenticated sleep 1 reject_unauth_pipelining
> check_client_access hash:/etc/postfix/spammer/ips
> check_client_access regexp:/etc/postfix/spammer/hosts
> reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_recipient_restrictions = permit_mynetworks
> permit_sasl_authenticated reject_unauth_destination
> reject_non_fqdn_recipient reject_non_fqdn_sender
> reject_unknown_sender_domain reject_unknown_recipient_domain
> check_sender_access hash:/etc/postfix/spammer/domains
> smtpd_sasl_auth_enable = yes
> smtpd_tls_cert_file = /etc/postfix/smtpd.cert
> smtpd_tls_key_file = /etc/postfix/smtpd.key
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_use_tls = yes
>
> Here is a capture of my conversation with my server that I mentioned
> above:
>
> $ telnet kilnar.com 25
> Trying 165.236.99.189...
> Connected to kilnar.com.
> Escape character is '^]'.
> 220 kilnar.com ESMTP Postfix
> HELO kilnar.com
> 250 kilnar.com
> MAIL From: <adminkilnar.com> 250 2.1.0 Ok
> RCPT To: <adminkilnar.com>
> 554 5.7.1 Service unavailable; Client host [a.b.c.d] blocked using
> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=a.b.c.d
> QUIT
> 221 2.0.0 Bye
> Connection closed by foreign host.
>
> Do I need my IP/host/RBL checks in a location other than
> smtpd_client_restrictions?
>
> Thank you for your time.
>