-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 José Luis Tallón escribió: > Hi, > > Ignacio Garcia wrote: >> Hi there. We use in our postfix servers several programs to prevent spam >> (amavisd-new + spamassassin, postgrey, and policyd-weight). We like very >> much policyd-weight because it bases its blocking decissions on a score >> calculated by the number of blacklists a server is in. We are, however, >> puzzled by the fact that we are blocking all incoming email from >> terra.es, a division of telefonica, the largest ISP in Spain. Before we >> contact terra's postmaster, > Just forget about that... they won't even hear you since they are the > largest (and so, must do everything right -- bullshit) >> we are trying to figure out where the >> problem is. Although this is a postfix list (and not policyd-weight's), >> I humbly ask you all email gurus for help since this is more related to >> rbl and dns stuff than policyd-weight malfunctioning. Here's the log: > Not a mail guru, but the approach below does work >> [snip] >> Please know that although terra.es show listed twice in rbl lists, we do >> not block them for that particular reason (we block when anyone is >> listed 3 times in rbl lists). We are blocking them because of this line: >> >> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1 >> >> we have checked their dns entries and seem normal (I'm no dns expert >> though) > What we do (without policyd-weight, however): > > Redirect these "problematic domains" to a special restriction class (we > call it from_freemail) > Then, we match the sending server with *any* valid sending server for > that domain. > > Something along the lines: > ACCESS (check_sender_access somewhere) > terra.es from_telefonica > > from_telefonica = check_client_access > hash:$config_directory/access_from_telefonica > > /etc/postfix/access_from_telefonica > terra.es reject_unauth_destination > telefonica.net reject_unauth_destination > >> Any help is much appreciated. > That will do the trick, when placed BEFORE check_policy_service (in the > recipient_restrictions list, in order to have as much info available for > the checks) > > > Cheers, > Thanks all for your reply.
Ok, terra.es sends through telefonica.net. However, emails coming from telefonica.net go through policyd-weight without any trouble, so I guess the second entry in $config_directory/access_from_telefonica (telefonica.net ...) is not necessary, right? our smtpd_recipient_restrictions is as follows: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_client_access hash:/etc/postfix/host_whitelist, check_client_access hash:/etc/postfix/relay_whitelist, check_policy_service inet:127.0.0.1:12525, check_client_access regexp:/etc/postfix/check_client_fqdn, check_sender_access regexp:/etc/postfix/filter_catchall_10024 where heck_policy_service inet:127.0.0.1:12525 is policyd-weight Therefore, after declaring in main.cf: from_telefonica = check_client_access hash:$config_directory/access_from_telefonica I'd leave it like this: mtpd_recipient_restrictions = reject_unauth_pipelining, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination, check_client_access hash:/etc/postfix/host_whitelist, check_client_access hash:/etc/postfix/relay_whitelist, from_telefonica, check_policy_service inet:127.0.0.1:12525, check_client_access regexp:/etc/postfix/check_client_fqdn, check_sender_access regexp:/etc/postfix/filter_catchall_10024 I added from_telefonica right before policyd-weight Now, I understand that after going to from_telefonica, the rest of the declarations will be ignored. If that is correct, I'll have to add them to the file /etc/postfix/access_from_telefonica. In that case, can I add several statements for terra.es as in? terra.es check_client_access regexp:/etc/postfix/check_client_fqdn, check_sender_access regexp:/etc/postfix/filter_catchall_10024 (all in one line, of course) Thanks very much in advance Ignacio -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpE2fAACgkQoYMx3fsuWuq0/ACgj8oS0CbU7i2ieFsw0QAfa7VR 3OQAn3ZghzY/tGKyt1EFBulXtUiNDYbe =TunR -----END PGP SIGNATURE-----
