Andrew, What you have configured doesn't say reject anything from not in my_networks, it says permit in my_networks, then carry on and do further checking.. This I presume is because you might want to accept email to my_destination (your domains this machine is final destination for) or virtual domains if configured..
If its limited to only ever accept and forward email for a particular subnet/hosts, then permit_mynetworks, reject will fix that and you don't need to check anything else.. (I think haven't researched but makes sense in my head.. :) Cheers Nick > -----Original Message----- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Andrew Long > Sent: Wednesday, July 29, 2009 9:55 PM > To: postfix-users > Subject: proper ordering of reject > > I am seeing from our logs that clients attempting to send mail through > our system are being (correctly) rejected when listed on one of the > two RBL's we use, but this is happening even for clients NOT listed in > /etc/postfix/relay-ip. My concern is that we are using more overhead > than needed to lookup their RBL status when they should have been > rejected right off the bat. We are not an open relay, but do relay > from selected ip blocks for known hotspot operators. > > Below is our config followed by a log entry indicating a mail that was > turned down for RBL although it's from an unlisted relay--ip. > > Any hints on config tweaks to improve this type of setup most > appreciated. > > - Andrew > > # postconf -n > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > default_destination_recipient_limit = 50 > default_process_limit = 10 > disable_vrfy_command = yes > html_directory = no > local_recipient_maps = > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > mydomain = mydomain.com > myhostname = mail.mydomain.com > mynetworks = 127.0.0.0/8, /etc/postfix/relay-ip > newaliases_path = /usr/bin/newaliases.postfix > readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES > relay_domains = mydomain.com > relay_recipient_maps = hash:/etc/postfix/relay_recipients > relay_transport = smtp > sample_directory = /usr/share/doc/postfix-2.2.10/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_connect_timeout = 30s > smtp_helo_timeout = 60s > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_client_connection_count_limit = 50 > smtpd_client_connection_rate_limit = 50 > smtpd_client_event_limit_exceptions = 127.0.0.0/8 > smtpd_client_message_rate_limit = 50 > smtpd_client_recipient_rate_limit = 50 > smtpd_client_restrictions = permit_mynetworks > smtpd_data_restrictions = reject_unauth_pipelining, permit > smtpd_helo_required = yes > smtpd_helo_restrictions = > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, > reject_non_fqdn_recipient, > reject_non_fqdn_sender, > reject_unlisted_sender, > reject_invalid_hostname, > check_helo_access hash:/etc/postfix/helo_checks, > check_sender_access hash:/etc/postfix/sender_access, > check_recipient_access hash:/etc/postfix/roleaccount, > reject_unknown_sender_domain, > reject_rbl_client bl.spamcop.net, > reject_rbl_client zen.spamhaus.org > smtpd_sender_restrictions = > unknown_local_recipient_reject_code = 550 > > ============================== > > Jul 29 08:07:42 dev postfix/smtpd[13997]: connect from > unknown[58.239.110.2] > Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from > unknown[58.239.110.2]: 554 Service unavailable; Client host > [58.239.110.2] blocked using bl.spamcop.net; Blocked ... > Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from > unknown[58.239.110.2]: 554 Service unavailable; Client host > [58.239.110.2] blocked using bl.spamcop.net; Blocked ...
