On 2024-02-28 at 14:38:41 UTC-0500 (Wed, 28 Feb 2024 13:38:41 -0600)
Scott Techlist via Postfix-users <techlis...@s2ca.us>
is rumored to have said:
I need to allow a domain to bypass my RBL checks. I'm doing something
wrong, or I'm misunderstanding what I'm checking from my logs. I'd be
grateful for an assist to remedy.
This box is an old postfix install Postfix version 2.2.10. (I know,
working on migrating)
main.cf: (full postconf -n output follows below)
parent_domain_matches_subdomains = smtpd_access_maps
check_sender_access hash:/etc/postfix/sender_checks,
That directive checks the email address which is used in the SMTP MAIL
FROM command.
I believe you need to use check_client_access to check the verified
client hostname instead of check_sender_access.
I need to let mail from outbound.protection.outlook.com, and bypass my
RBL checks.
That subdomain is used for outbound sending machine names, but I don't
think MS uses it for envelope senders. *Most* of their outbound machines
have "FCrDNS" but some don't, in which cases it won't hit. Nothing you
can do about the ones they screw up.
My old understanding is that the first OK "wins" (maybe not?), and I
have check sender before check RBL. I don't seem to be getting a
match/OK on it.
This is a sample log entry of what I'm trying to "OK" before it gets
to my RBL checks and thus fails:
Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]
Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]:
554 Service unavailable; Client host [40.107.255.101] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.255.101;
from=<info-asqmrfmx...@starscorp.onmicrosoft.com>
to=<gary.cunning...@xyz.com> proto=ESMTP
helo=<APC01-PSA-obe.outbound.protection.outlook.com>
Isn't the sender = connect from =
mail-psaapc01on2101.outbound.protection.outlook.com ?
In my sender_checks file I've tried:
outbound.protection.outlook.com OK
.outbound.protection.outlook.com OK # to match subdomains as an
attempt to get it to work.
Can I go that deep on subdomains (e.g.
outbound.protection.outlook.com)? Or do I need to only have
".outlook.com OK"
I tried testing my sender_checks file using:
postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
(does not match)
postmap -q 'outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
OK #(matches)
In any case, what I'm doing does not prevent the RBL test that's after
the sender check from being passed.
-----
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = pcre:/etc/postfix/body_checks.pcre
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $host1, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 483886080
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $host1, localhost.$mydomain, localhost,
s-e-inc.com, $mydomain
mydomain = example.com
host1 = host1.example.com
mynetworks = localhost,$localdomain, [& other local IPs]
myorigin = $host1
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 3000
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, permit_mynetworks,
reject_unauth_destination, check_recipient_mx_access
hash:/etc/postfix/mx_access, check_sender_mx_access
hash:/etc/postfix/mx_access, reject_unknown_sender_domain,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client
zen.spamhaus.org=127.0.0.[2..255], reject_rhsbl_client
dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[2..99], reject_rbl_client psbl.surriel.com,
reject_rbl_client bl.spamcop.net, reject_rhsbl_sender
fresh.spameatingmonkey.net, reject_rhsbl_client
fresh.spameatingmonkey.net, reject_rhsbl_sender
uribl.spameatingmonkey.net, reject_rhsbl_client
uribl.spameatingmonkey.net, reject_rbl_client
sip-sip24.metbpp3hnheh.invaluement.com, check_policy_service
unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $host1
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/postfix_public_cert.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix_private_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
