Dnia 14.04.2025 o godz. 17:51:20 Jorge Bastos via Postfix-users pisze:
> How do you guys handle this type of situations?
> In this specific case, i want to add the scams.com list, but this
> gmail IP is blacklisted there, but also whitelisted in the users.
> 
> https://multirbl.valli.org/lookup/209.85.218.47.html
> 
> smtpd_recipient_restrictions = check_client_access
> cidr:/etc/postfix/client.cidr, check_client_access
> hash:/etc/postfix/client_checks, check_sender_access
> hash:/etc/postfix/sender_checks, reject_non_fqdn_sender,
> permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client cbl.abuseat.org, reject_rbl_client
> spam.spamrats.com, reject_rbl_client bb.barracudacentral.org,
> reject_unknown_sender_domain, reject_rbl_client bl.mailspike.net,
> reject_rbl_client dyna.spamrats.com, reject_rbl_client
> pbl.spamhaus.org, reject_rbl_client b.barracudacentral.org,
> check_policy_service unix:private/policy-spf, reject_rbl_client
> bl.spamcop.net

In my case, instead of putting everything into smtpd_recipient_restrictions,
I use separate smtpd_*_restrictions as they are meant to.
smtpd_client_restrictions reject/allow connecting client, but if they allow,
it doesn't mean mail will be accepted, because the next restrictions follow,
and mail can be rejected by smtpd_helo_restrictions,
smtpd_sender_restrictions or smtpd_recipient_restrictions - I use all of
them!

So I have the following in my smtpd_client_restrictions:

permit_mynetworks, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/rbl_override,
check_client_access pcre:/etc/postfix/rbl_override_regex,
check_sender_access hash:/etc/postfix/rbl_override_sender,
reject_rbl_client bl.spamcop.net=127.0.0.[1..255],
reject_rbl_client zen.spamhaus.org=127.0.0.[1..255], permit

So there are three override tables before checking RBLs. The first is just a
simple hash table that specifies single domains, networks or IP addresses.
If I want to exclude something from RBL checking, I usually put it here with
an OK entry.
Then there's a regex table for some more complicated hostnames matching a
particular pattern (actually I have only REJECT entries in this table, as
these tables can be used both to allow and reject the client before it even
proceeds to checking RBLs), finally there's something I introduced just
recently because I had a case that needed this - a table listing SENDERS
that are exempt from RBL checking (of course this requires
smtpd_delay_reject set to true, which is the default). Note the final
"permit" - if the client is not matched by any of these rules, it is
allowed, which means only that it passes this stage of restrictions and
proceeds to next ones, which can still reject a message.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to