On Sat, Apr 09, 2011 at 05:47:14PM +0300, Ejaz wrote:
> I was trying to add this "smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/access,
"access" is a poor name for an access lookup. File names generally
should at least indicate the type of lookup, if not the purpose of
it: client_access, client_blacklist, et c.
> hash:/etc/postfix/mynetworks, reject_rbl_client bl.spamcop.vnet,
Spelling counts. Last I knew, the VNET top-level domain had not been
proposed. Note as well that you misspelled "smtpd" in the Subject:
header here.
Also, you're using the implicit invocation of check_client_access
with hash:/etc/postfix/mynetworks. You should be explicit about that
by preceding it with "check_client_access".
SMTPD_ACCESS_README.html (on www.postfix.org and in your own local
copy) is highly recommended.
> reject_rbl_client list.dsbl.org" in postfix main.cf file it won't
> work out for me.
DSBL has been dead now for almost three years!
Never, EVER, trust a DNSBL with which you are not personally
familiar. Check out their listing and delisting policies before you
use them to block mail.
You are following some old, outdated howto. If you want to do this
right in A.D. 2011, look at recent posts on this list about the
postscreen(8) daemon. I posted one with a good list of
postscreen_dnsbl_sites and scoring. You can google that, but here's
what I'm using now, slightly changed since then:
( postconf -n | grep postscreen_ with formatting for readability )
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2 dnsbl.njabl.org*2
bl.spameatingmonkey.net*2
bl.spamcop.net dnsbl.sorbs.net
dnsbl.ahbl.org spamtrap.trblspam.com
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-4
list.dnswl.org=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
I have three tiers of DNSBL sites, followed by DNS whitelists. This
rejects outright on a Zen hit unless whitelisted. (Note, it's not
possible for a SWL host to be listed in Zen, and it's highly unlikely
to find a DNSWL host in Zen.) Other DNSBLs will require at least two
hits to reject. (One scored 2, and any one other; or three scored 1.)
The postscreen_dnsbl_reply_map.pcre is simply this, so as to avoid
naming a random DNSBL in our rejection messages:
!/^zen\.spamhaus\.org$/ multiple DNS-based blocklists
Again, do NOT blindly follow this the way you were following the
other howto. Look up EACH of the DNS lists I am using and find out
about their policies. Barracuda, for example, requires a signup.
Spamhaus is not free for commercial and large non-profit use.
If you don't have the time nor inclination to do this, I understand,
but in that case I'd recommend that you not try to host your own
mail. There are some free (Google) and very cheap hosting services
among which you can choose.
NB: postscreen is only available since Postfix 2.8, which was
released early this year. Likewise, if an upgrade to the latest
stable version is too much, it might be worth considering email
hosting services.
> After adding this smtpd_clients restriction, all emails didn't go
> thorugh and get stuck in my outlook outbox.
You should not subject your own users to anti-spam restrictions,
other than content filtering to detect and stop any malware they
might have.
MS Outlook is generally the most problematic MUA, in many ways.
Consider migrating your users to better supported software.
> FYI my /etc/postfix/mynetworks file contents my own subnet.
>
> 127.0.0.0/8 OK
> 212.107.96.0/19 OK
> 212.118.96.0/19 OK
> 195.88.244.0/23 OK
That's the format of a cidr_table(5), being called as a hash: table.
This will not work. See DATABASE_README.html and DB_README.html as
well as the man pages, access.5.html and cidr_table.5.html, all in
the same locations as above.
It *might* work if you change the lookup type from hash: to cidr:.
> Would any one have an idea where I went wrong?
>
> My setup is
> Postfix
> Mailscanner
Bad idea, Mailscanner, and not supported on this list.
> Clamav
> Spamassasin
> Mailwatch
And you don't seem to understand much about how all the parts fit
together. Mail admin is very difficult!
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
