Dnia 14.04.2025 o godz. 17:51:20 Jorge Bastos via Postfix-users pisze: > How do you guys handle this type of situations? > In this specific case, i want to add the scams.com list, but this > gmail IP is blacklisted there, but also whitelisted in the users. > > https://multirbl.valli.org/lookup/209.85.218.47.html > > smtpd_recipient_restrictions = check_client_access > cidr:/etc/postfix/client.cidr, check_client_access > hash:/etc/postfix/client_checks, check_sender_access > hash:/etc/postfix/sender_checks, reject_non_fqdn_sender, > permit_mynetworks, permit_sasl_authenticated, > reject_unauth_destination, reject_rbl_client zen.spamhaus.org, > reject_rbl_client cbl.abuseat.org, reject_rbl_client > spam.spamrats.com, reject_rbl_client bb.barracudacentral.org, > reject_unknown_sender_domain, reject_rbl_client bl.mailspike.net, > reject_rbl_client dyna.spamrats.com, reject_rbl_client > pbl.spamhaus.org, reject_rbl_client b.barracudacentral.org, > check_policy_service unix:private/policy-spf, reject_rbl_client > bl.spamcop.net
In my case, instead of putting everything into smtpd_recipient_restrictions, I use separate smtpd_*_restrictions as they are meant to. smtpd_client_restrictions reject/allow connecting client, but if they allow, it doesn't mean mail will be accepted, because the next restrictions follow, and mail can be rejected by smtpd_helo_restrictions, smtpd_sender_restrictions or smtpd_recipient_restrictions - I use all of them! So I have the following in my smtpd_client_restrictions: permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, check_client_access pcre:/etc/postfix/rbl_override_regex, check_sender_access hash:/etc/postfix/rbl_override_sender, reject_rbl_client bl.spamcop.net=127.0.0.[1..255], reject_rbl_client zen.spamhaus.org=127.0.0.[1..255], permit So there are three override tables before checking RBLs. The first is just a simple hash table that specifies single domains, networks or IP addresses. If I want to exclude something from RBL checking, I usually put it here with an OK entry. Then there's a regex table for some more complicated hostnames matching a particular pattern (actually I have only REJECT entries in this table, as these tables can be used both to allow and reject the client before it even proceeds to checking RBLs), finally there's something I introduced just recently because I had a case that needed this - a table listing SENDERS that are exempt from RBL checking (of course this requires smtpd_delay_reject set to true, which is the default). Note the final "permit" - if the client is not matched by any of these rules, it is allowed, which means only that it passes this stage of restrictions and proceeds to next ones, which can still reject a message. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
