On 2/28/2024 1:38 PM, Scott Techlist via Postfix-users wrote:
I need to allow a domain to bypass my RBL checks. I’m doing
something wrong, or I’m misunderstanding what I’m checking from my
logs. I’d be grateful for an assist to remedy.
This box is an old postfix install Postfix version 2.2.10. (I know,
working on migrating)
access maps processing has not changed significantly since then.
main.cf: (full postconf –n output follows below)
parent_domain_matches_subdomains = smtpd_access_maps
check_sender_access hash:/etc/postfix/sender_checks,
I need to let mail from outbound.protection.outlook.com, and bypass
my RBL checks. My old understanding is that the first OK “wins”
The first OK ends that section of restrictions. A reject in any
other section will still reject the mail.
Each restriction section must pass (or be empty)
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_relay_restrictions (in newer postfix)
smtpd_recipient_restrictions
smtpd_data_restrictions
smtpd_end_of_data_restrictions
...
Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT
from
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]:
554 Service unavailable; Client host [40.107.255.101] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.255.101;
from=<info-asqmrfmx...@starscorp.onmicrosoft.com>
to=<gary.cunning...@xyz.com> proto=ESMTP
helo=<APC01-PSA-obe.outbound.protection.outlook.com>
Isn’t the sender = connect from =
mail-psaapc01on2101.outbound.protection.outlook.com ?
NO, that's the client. The client is the computer that sends the
mail, represented by its IP address, or the hostname PTR of that IP.
The sender is the SMTP MAIL FROM and is listed in the postfix logs
as the from= address. This may or may not be the same as the From:
header in the email.
In my sender_checks file I’ve tried:
outbound.protection.outlook.com OK
.outbound.protection.outlook.com OK # to match subdomains as an
attempt to get it to work.
Since that's a client, it will need to be in a map that uses
check_client_access.
Alternately, you could use the from= address
starscorp.onmicrosoft.com, or the parent domain onmicrosoft.com, in
your sender_checks.
Can I go that deep on subdomains (e.g.
outbound.protection.outlook.com)? Or do I need to only have
“.outlook.com OK”
The dotted form only works with an empty
parent_domain_matches_subdomains. There is no depth limit.
Use one form or the other depending on your preference for
parent_domain_matches_subdomains, no need to use both.
The reason it doesn't work is you're confusing sender and client.
I tried testing my sender_checks file using:
postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
(does not match)
postmap -q 'outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
OK #(matches)
As documented, postmap is a simple test tool and does not do any
automatic parent or subdomain searching.
-- Noel Jones
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
