Scott Techlist via Postfix-users:
> I need to allow a domain to bypass my RBL checks.  I'm doing something wrong, 
> or I'm misunderstanding what I'm checking from my logs.  I'd be grateful for 
> an assist to remedy.
> 

Depending on whether omain is client or sender or ...

    ...
    reject_unauth_destination
    ...
    check_client_access hash:/pathname
    reject_rbl_client example.com
    ...

Or

    ...
    reject_unauth_destination
    ...
    check_sender_access hash:/pathname
    reject_rbl_client example.com
    ...

Or ???

Where the table returns OK for the allowlisted domain.

        Wietse
> 
> This box is an old postfix install Postfix version 2.2.10. (I know, working 
> on migrating)
> 
>  
> 
> main.cf: (full postconf -n output follows below)
> 
>  
> 
> parent_domain_matches_subdomains = smtpd_access_maps 
> 
> check_sender_access hash:/etc/postfix/sender_checks,
> 
>  
> 
> I need to let mail from outbound.protection.outlook.com, and bypass my RBL 
> checks. My old understanding is that the first OK "wins" (maybe not?), and I 
> have check sender before check RBL.  I don't seem to be getting a match/OK on 
> it.
> 
>  
> 
> This is a sample log entry of what I'm trying to "OK" before it gets to my 
> RBL checks and thus fails:
> 
>  
> 
>       Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
> mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]
> 
>  
> 
> Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
> mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554 
> Service unavailable; Client host [40.107.255.101] blocked using 
> bl.spamcop.net; Blocked - see 
> https://www.spamcop.net/bl.shtml?40.107.255.101; 
> from=<info-asqmrfmx...@starscorp.onmicrosoft.com> 
> to=<gary.cunning...@xyz.com> proto=ESMTP 
> helo=<APC01-PSA-obe.outbound.protection.outlook.com>
> 
>  
> 
> Isn't the sender = connect from = 
> mail-psaapc01on2101.outbound.protection.outlook.com ?
> 
>  
> 
> In my sender_checks file I've tried:
> 
>  
> 
> outbound.protection.outlook.com OK
> 
> .outbound.protection.outlook.com OK # to match subdomains as an attempt to 
> get it to work.
> 
>  
> 
> Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or 
> do I need to only have ".outlook.com OK"
> 
>  
> 
> I tried testing my sender_checks file using:
> 
>  
> 
> postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
> hash:/etc/postfix/sender_checks
> 
> (does not match)
> 
>  
> 
> postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks
> 
> OK #(matches)
> 
>  
> 
> In any case, what I'm doing does not prevent the RBL test that's after the 
> sender check from being passed.
> 
>  
> 
> -----
> 
> postconf -n:
> 
>  
> 
> alias_database = hash:/etc/aliases
> 
> alias_maps = hash:/etc/aliases
> 
> body_checks = pcre:/etc/postfix/body_checks.pcre
> 
> broken_sasl_auth_clients = yes
> 
> command_directory = /usr/sbin
> 
> config_directory = /etc/postfix
> 
> content_filter = smtp-amavis:[127.0.0.1]:10024
> 
> daemon_directory = /usr/libexec/postfix
> 
> debug_peer_level = 2
> 
> disable_vrfy_command = yes
> 
> html_directory = no
> 
> inet_interfaces = $host1, localhost
> 
> local_recipient_maps = hash:/etc/postfix/local_recipient
> 
> mail_owner = postfix
> 
> mail_spool_directory = /var/spool/mail
> 
> mailbox_size_limit = 483886080
> 
> mailq_path = /usr/bin/mailq.postfix
> 
> manpage_directory = /usr/share/man
> 
> message_size_limit = 20971520
> 
> mydestination = $host1,  localhost.$mydomain,  localhost,  s-e-inc.com, 
> $mydomain
> 
> mydomain = example.com
> 
> host1 = host1.example.com
> 
> mynetworks = localhost,$localdomain, [& other local IPs]
> 
> myorigin = $host1
> 
> newaliases_path = /usr/bin/newaliases.postfix
> 
> parent_domain_matches_subdomains = smtpd_access_maps
> 
> queue_directory = /var/spool/postfix
> 
> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
> 
> recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> 
> relay_domains = mlec.com
> 
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> 
> sample_directory = /usr/share/doc/postfix-2.2.10/samples
> 
> sendmail_path = /usr/sbin/sendmail.postfix
> 
> setgid_group = postdrop
> 
> smtpd_data_restrictions = reject_unauth_pipelining,  permit
> 
> smtpd_helo_required = yes
> 
> smtpd_recipient_limit = 3000
> 
> smtpd_recipient_restrictions = reject_invalid_hostname,  
> reject_non_fqdn_hostname,  reject_non_fqdn_sender,  
> reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,  
> check_recipient_mx_access hash:/etc/postfix/mx_access,  
> check_sender_mx_access hash:/etc/postfix/mx_access,  
> reject_unknown_sender_domain,  check_recipient_access 
> pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access 
> hash:/etc/postfix/helo_checks,  check_sender_access 
> hash:/etc/postfix/sender_checks,  check_client_access 
> hash:/etc/postfix/client_checks,  check_client_access 
> pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
> hash:/etc/postfix/access,  reject_rbl_client 
> zen.spamhaus.org=127.0.0.[2..255],  reject_rhsbl_client 
> dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_sender 
> dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_helo 
> dbl.spamhaus.org=127.0.1.[2..99],  reject_rbl_client psbl.surriel.com,  
> reject_rbl_client bl.spamcop.net,  reject_rhsbl_sender 
> fresh.spameatingmonkey.net,  r
 eject_rhsbl_client fresh.spameatingmonkey.net,  reject_rhsbl_sender 
uribl.spameatingmonkey.net,  reject_rhsbl_client uribl.spameatingmonkey.net,  
reject_rbl_client sip-sip24.metbpp3hnheh.invaluement.com,  check_policy_service 
unix:postgrey/socket, permit
> 
> smtpd_sasl_auth_enable = yes
> 
> smtpd_sasl_local_domain = $host1
> 
> smtpd_sasl_security_options = noanonymous
> 
> smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
> 
> smtpd_tls_auth_only = yes
> 
> smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
> 
> smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
> 
> smtpd_tls_loglevel = 1
> 
> smtpd_tls_received_header = yes
> 
> smtpd_tls_session_cache_timeout = 3600s
> 
> smtpd_use_tls = no
> 
> soft_bounce = no
> 
> tls_random_source = dev:/dev/urandom
> 
> transport_maps = hash:/etc/postfix/transport
> 
> unknown_local_recipient_reject_code = 550
> 
> virtual_alias_domains = hash:/etc/postfix/virtual_domains
> 
> virtual_alias_maps = hash:/etc/postfix/virtual_users
> 
>  
> 
>  
> 

> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to