David Cottle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have got RBL tests and I got a client on godaddy. Naturally their
outgoing server (secureserver.net) is listed. I made changes to postfix
but its still rejecting, here is the extract of the main.cf and the rules.
I don't understand why its not working.. If I remove all the rbl checks
the emails arrive..
Any ideas?
Here is the configs that apply:
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist,
OK.
check_client_access
hash:/etc/postfix/check_backscatterer, check_client_access
hash:/etc/postfix/check_spamcannibal,
The above two checks will never match anything. You need to
use check_sender_access, not check_client_access.
Make sure you leave the default setting of
smtpd_delay_reject = yes
so postfix knows the sender when it does this check.
reject_rbl_client bl.spamcop.net,
OK.
reject_rbl_client pbl.spamhaus.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
You should drop all the above and use zen.spamhaus.org.
If you want to differentiate rejections, you can break them
out by the reject code.
reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client
dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net,
UCEPROTECT will give you tons of false positives when used
this way. Better to use it in a scoring type system, such as
SpamAssassin or a scoring policy server. Or just don't use it
at all. Here, it gave so many false positives that it wasn't
even particularly useful for scoring.
reject_rbl_client 2.0.0.127.b.barracudacentral.org
This will never match anything. Must be
reject_rbl_client b.barracudacentral.org
if you're trying to limit rejects to a specific response code,
the syntax is
reject_rbl_client b.barracudacentral.org=127.0.0.2
the /etc/postfix/whitelist file (yes its been mapped to .cf)
k2smtpout01-01.prod.mesa1.secureserver.net OK
k2smtpout02-01.prod.mesa1.secureserver.net OK
k2smtpout03-01.prod.mesa1.secureserver.net OK
k2smtpout04-01.prod.mesa1.secureserver.net OK
k2smtpout05-01.prod.mesa1.secureserver.net OK
k2smtpout06-01.prod.mesa1.secureserver.net OK
you need only one entry.
prod.mesa1.secureserver.net OK
If you've changed the default setting of
parent_domain_matches_subdomains then use
.prod.mesa1.secureserver.net OK
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
http://www.postfix.org/access.5.html
But whitelisting by name only works if postfix knows the
client name.
Feb 9 09:36:55 server postfix/smtpd[26671]: connect from unknown[64.202.189.90]
Feb 8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT from unknown[64.202.189.90]:
554 5.7.1 Service unavailable; Client host [64.202.189.90] blocked using dnsbl-1.uceprotect.net;
IP 64.202.189.90 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90;
from=<psa...@server.aussiefrogs.com> to=<dcot...@idb.com.au> proto=SMTP
helo=<k2smtpout02-01.prod.mesa1.secureserver.net>
Feb 8 22:36:57 server postfix/smtpd[26671]: disconnect from unknown[64.202.189.90]
Ah, postfix does not know the client name. You'll need to
whitelist them by IP address.
Hmmm.
% host 64.202.189.90
90.189.202.64.in-addr.arpa domain name pointer
k2smtpout02-01.prod.mesa1.secureserver.net.
% host k2smtpout02-01.prod.mesa1.secureserver.net.
k2smtpout02-01.prod.mesa1.secureserver.net has address
64.202.189.90
Looks as if your DNS is broken. If you DNS had been working,
I don't believe this would have been labeled "unknown".
Does postfix label every client as "unknown"?
the check_backscatterer (also mapped)
<> reject_rbl_client ips.backscatterer.org
postmaster reject_rbl_client ips.backscatterer.org
MAILER-DAEMON reject_rbl_client ips.backscatterer.org
The postmaster and MAILER-DAEMON entries are unlikely to match
anything; remember you're checking the envelope sender, not a
header. I suppose some broken mailers could use the sender
postmas...@example.com or mailer-dae...@example.com; you would
need a regexp map to match those, and you won't see many of
them. Ditto for your spamcannibal map.
--
Noel Jones
