NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2009-06

Re: ISP being blocked by us

From: Ignacio Garcia (igpoenus.com)
Date: Fri Jun 26 2009 - 09:23:46 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

José Luis Tallón escribió:
> Hi,
>
> Ignacio Garcia wrote:
>> Hi there. We use in our postfix servers several programs to prevent spam
>> (amavisd-new + spamassassin, postgrey, and policyd-weight). We like very
>> much policyd-weight because it bases its blocking decissions on a score
>> calculated by the number of blacklists a server is in. We are, however,
>> puzzled by the fact that we are blocking all incoming email from
>> terra.es, a division of telefonica, the largest ISP in Spain. Before we
>> contact terra's postmaster,
> Just forget about that... they won't even hear you since they are the
> largest (and so, must do everything right -- bullshit)
>> we are trying to figure out where the
>> problem is. Although this is a postfix list (and not policyd-weight's),
>> I humbly ask you all email gurus for help since this is more related to
>> rbl and dns stuff than policyd-weight malfunctioning. Here's the log:
> Not a mail guru, but the approach below does work
>> [snip]
>> Please know that although terra.es show listed twice in rbl lists, we do
>> not block them for that particular reason (we block when anyone is
>> listed 3 times in rbl lists). We are blocking them because of this line:
>>
>> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1
>>
>> we have checked their dns entries and seem normal (I'm no dns expert
>> though)
> What we do (without policyd-weight, however):
>
> Redirect these "problematic domains" to a special restriction class (we
> call it from_freemail)
> Then, we match the sending server with *any* valid sending server for
> that domain.
>
> Something along the lines:
> ACCESS (check_sender_access somewhere)
> terra.es from_telefonica
>
> from_telefonica = check_client_access
> hash:$config_directory/access_from_telefonica
>
> /etc/postfix/access_from_telefonica
> terra.es reject_unauth_destination
> telefonica.net reject_unauth_destination
>
>> Any help is much appreciated.
> That will do the trick, when placed BEFORE check_policy_service (in the
> recipient_restrictions list, in order to have as much info available for
> the checks)
>
>
> Cheers,
>
Thanks all for your reply.

Ok, terra.es sends through telefonica.net. However, emails coming from
telefonica.net go through policyd-weight without any trouble, so I guess
the second entry in $config_directory/access_from_telefonica
(telefonica.net ...) is not necessary, right?

our smtpd_recipient_restrictions is as follows:

smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination, check_client_access
hash:/etc/postfix/host_whitelist, check_client_access
hash:/etc/postfix/relay_whitelist, check_policy_service
inet:127.0.0.1:12525, check_client_access
regexp:/etc/postfix/check_client_fqdn, check_sender_access
regexp:/etc/postfix/filter_catchall_10024

where heck_policy_service inet:127.0.0.1:12525 is policyd-weight

Therefore, after declaring in main.cf:

from_telefonica = check_client_access
hash:$config_directory/access_from_telefonica

I'd leave it like this:

mtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination, check_client_access
hash:/etc/postfix/host_whitelist, check_client_access
hash:/etc/postfix/relay_whitelist, from_telefonica, check_policy_service
inet:127.0.0.1:12525, check_client_access
regexp:/etc/postfix/check_client_fqdn, check_sender_access
regexp:/etc/postfix/filter_catchall_10024

I added from_telefonica right before policyd-weight

Now, I understand that after going to from_telefonica, the rest of the
declarations will be ignored. If that is correct, I'll have to add them
to the file /etc/postfix/access_from_telefonica. In that case, can I add
several statements for terra.es as in?

terra.es check_client_access regexp:/etc/postfix/check_client_fqdn,
check_sender_access regexp:/etc/postfix/filter_catchall_10024

(all in one line, of course)

Thanks very much in advance

Ignacio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpE2fAACgkQoYMx3fsuWuq0/ACgj8oS0CbU7i2ieFsw0QAfa7VR
3OQAn3ZghzY/tGKyt1EFBulXtUiNDYbe
=TunR
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]