On 8/12/2010 1:37 PM, donovan jeffrey j wrote:
On Aug 12, 2010, at 2:24 PM, Noel Jones wrote:
On 8/12/2010 1:07 PM, donovan jeffrey j wrote:
greetings
all day long I see tons of reject warnings from different ips sample
reject_warning: RCPT from unknown[65.60.20.157]: 450 Client host rejected:
cannot find your hostname, [65.60.20.157];
when I do an nslookup or host that IP it returns a 157.20.60.65.in-addr.arpa
domain name pointer sh4.amazingfireman.info
but dig returns nothing so postfix returns a reject warning.
Much of this mail is unwanted , i want to block the majority of these however I
do not want to block users that use a colocation site or legit users;
example; i know these people are legit but have no control over their mailserver
reject_warning: RCPT from unknown[209.131.70.106]: 450 Client host rejected: cannot
find your hostname, [209.131.70.106]; from=<u...@dhuy.com>
Non-authoritative answer:
106.70.131.209.in-addr.arpa name = ip70-106-tcpbbs.net.
dig shows nothing for that ip but they do have an mx record under their domain
name dhuy.com
;; ANSWER SECTION:
dhuy.com. 1595 IN MX 10 mail.dhuy.com.
Name: mail.dhuy.com
Address: 209.131.70.106
nc1-100:~ drfoo$ host 209.131.70.106
106.70.131.209.in-addr.arpa domain name pointer ip70-106-tcpbbs.net
it goes in a circle.
So in hopes that i can allow them to pass i have added the IP to my
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/access
is that the right approach ?
I hope you mean you added the IP to your access table, not mynetworks. Other
than that, this is the right general idea.
hehe yeah yeah not my network, i added to access.
Whether this is the right place to add the access table depends on where your
reject_unknown_client is. The whitelist and reject_unknown_client must be in
the same section.
is it okay to have the warn_if_reject reject_unknown_client in
smtpd_recipient_restrictions, I had read somewhere it was better to reject
after client and helo because the client would just hang up and try again.
right now I have the restriction in recipient. and I also have a
check_recipient_access hash:/etc/postfix/recipient_access. So i must place it
in there.
-j
In that case remove your smtpd_{client, helo,
sender}_restrictions and put everything under
smtpd_recipient_restrictions.
General order should be like so:
smtpd_recipient_restrictions =
# clients that can relay
permit_mynetworks
# no one below here can relay
reject_unauth_destination
# local whitelist of IPs and client names goes here
check_client_access hash:/etc/postfix/client_whitelist
# maybe a local blacklist. It's possible to combine
# the whitelist & blacklist, but cleaner to separate
check_client_access hash:/etc/postfix/client_blacklist
# other local reject_* antispam checks
...
# generally put RBLs last since they require a DNS lookup.
reject_rbl_client zen.spamhaus.org
# anything that gets this far is delivered.
-- Noel Jones
