Dan Langille:
> Today I discovered that my mail server is rejecting smtps connections
> based upon RBL.
>
> Example:
>
> Sep 28 17:44:40 nyi postfix/smtpd[20073]: NOQUEUE: reject: CONNECT
> from pool-151-197-20-211.phil.east.verizon.net[151.197.20.211]: 554
> 5.7.1 Service unavailable; Client host [151.197.20.211] blocked using
> dnsbl.njabl.org; 1045929907; proto=SMTP
>
> I'd rather not restrict smtps connection. Either they authenticate or
> they do not. That is enough for me.
Assuming that other sanity checks still apply for smtps clients...
> My smtps service is defined through this (slightly altered) master.cf
> entry:
>
> 10.11.12.13:smtps inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o
> smtpd_recipient_restrictions
> =permit_sasl_authenticated,reject_unauth_destination
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_wrappermode=yes
> -o smtpd_tls_cert_file=/usr/local/etc/postfix-config/CERTS/
> nyi.example.org.cert
> -o smtpd_tls_key_file=/usr/local/etc/postfix-config/CERTS/
> nyi.example.org.nopassword.key
>
> In main.cf, I find these references to njabl.org. I would prefer to
> keep these smtp restrictions in place.
> maps_rbl_domains = dnsbl.njabl.org
>
> smtpd_client_restrictions = sleep 1, reject_unauth_pipelining, hash:/
> usr/local/etc/postfix-config/main/access,
> reject_rbl_client dnsbl.njabl.org,
> permit_mynetworks
Add to main.cf:
smtps_client_restrictions = sleep 1, reject_unauth_pipelining
hash:/usr/local/etc/postfix-config/main/access
i.e. all but the ``reject_rbl_client dnsbl.njabl.org''.
In master.cf, add to the smtps entry:
-o smtpd_client_restrictions=$smtps_client_restrictions
Ditto for smtpd_helo_restrictions and smtpd_sender_restrictions
or anything that references dnsbl.njabl.org.
This workaround is needed because there can't be spaces in master.cf
-o options. You can use commas instead of spaces, but that just
makes things uglier.
Wietse
