On Aug 12, 2010, at 2:55 PM, Noel Jones wrote:
> On 8/12/2010 1:37 PM, donovan jeffrey j wrote:
>>
>> On Aug 12, 2010, at 2:24 PM, Noel Jones wrote:
>>
>>> On 8/12/2010 1:07 PM, donovan jeffrey j wrote:
>>>> greetings
>>>>
>>>> all day long I see tons of reject warnings from different ips sample
>>>> reject_warning: RCPT from unknown[65.60.20.157]: 450 Client host rejected:
>>>> cannot find your hostname, [65.60.20.157];
>>>>
>>>> when I do an nslookup or host that IP it returns a
>>>> 157.20.60.65.in-addr.arpa domain name pointer sh4.amazingfireman.info
>>>>
>>>> but dig returns nothing so postfix returns a reject warning.
>>>> Much of this mail is unwanted , i want to block the majority of these
>>>> however I do not want to block users that use a colocation site or legit
>>>> users;
>>>>
>>>> example; i know these people are legit but have no control over their
>>>> mailserver
>>>> reject_warning: RCPT from unknown[209.131.70.106]: 450 Client host
>>>> rejected: cannot find your hostname, [209.131.70.106]; from=<u...@dhuy.com>
>>>>
>>>> Non-authoritative answer:
>>>> 106.70.131.209.in-addr.arpa name = ip70-106-tcpbbs.net.
>>>>
>>>> dig shows nothing for that ip but they do have an mx record under their
>>>> domain name dhuy.com
>>>>
>>>> ;; ANSWER SECTION:
>>>> dhuy.com. 1595 IN MX 10 mail.dhuy.com.
>>>>
>>>> Name: mail.dhuy.com
>>>> Address: 209.131.70.106
>>>>
>>>> nc1-100:~ drfoo$ host 209.131.70.106
>>>> 106.70.131.209.in-addr.arpa domain name pointer ip70-106-tcpbbs.net
>>>>
>>>> it goes in a circle.
>>>>
>>>> So in hopes that i can allow them to pass i have added the IP to my
>>>> smtpd_client_restrictions = permit_mynetworks check_client_access
>>>> hash:/etc/postfix/access
>>>> is that the right approach ?
>>>
>>> I hope you mean you added the IP to your access table, not mynetworks.
>>> Other than that, this is the right general idea.
>>
>> hehe yeah yeah not my network, i added to access.
>>>
>>> Whether this is the right place to add the access table depends on where
>>> your reject_unknown_client is. The whitelist and reject_unknown_client
>>> must be in the same section.
>>
>> is it okay to have the warn_if_reject reject_unknown_client in
>> smtpd_recipient_restrictions, I had read somewhere it was better to reject
>> after client and helo because the client would just hang up and try again.
>> right now I have the restriction in recipient. and I also have a
>> check_recipient_access hash:/etc/postfix/recipient_access. So i must place
>> it in there.
>> -j
>
> In that case remove your smtpd_{client, helo, sender}_restrictions and put
> everything under smtpd_recipient_restrictions.
so no reject_unknown_client in any line ?
sorry if i seem confused. I have not worked with this config in many years and
I'm trying to update all of these systems.
so i should then,
smtpd_client_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_white_access
check_recipient_access hash:/etc/postfix/recipient_black_access
reject_invalid_hostname
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unknown_recipient_domain
reject_rbl_client zen.spamhaus.org
reject_rbl_client cbl.abuseat.org, permit
I added a few because they were already in my config. along with warn_if_reject
reject_unknown_client
thanks for your help.
>
> General order should be like so:
> smtpd_recipient_restrictions =
> # clients that can relay
> permit_mynetworks
> # no one below here can relay
> reject_unauth_destination
> # local whitelist of IPs and client names goes here
> check_client_access hash:/etc/postfix/client_whitelist
> # maybe a local blacklist. It's possible to combine
> # the whitelist & blacklist, but cleaner to separate
> check_client_access hash:/etc/postfix/client_blacklist
> # other local reject_* antispam checks
> ...
> # generally put RBLs last since they require a DNS lookup.
> reject_rbl_client zen.spamhaus.org
> # anything that gets this far is delivered.
>
>
>
> -- Noel Jones
>
