On Fri, Jun 03, 2011 at 01:09:28PM -0400, Wietse Venema wrote:
> postscreen_whitelist_interfaces matters only for clients that are
> not yet whitelisted (or that have expired).
Issue: previously whitelisted client gets WHITELIST VETO on secondary
MX IP address (excluded from postscreen_whitelist_interfaces.) Funny
thing, however: I have seen this work on another client today.
Today I entered these in DNS (munged domain):
q.example.us. MX 10 mx1.q.example.us.
q.example.us. MX 20 mx2.q.example.us.
mx1.q.example.us. A 216.23.247.74
mx2.q.example.us. A 216.23.247.78
Previously only the mx1 record existed, resolving to the same
address.
Jun 5 01:50:46 cardinal postfix/postscreen[15628]: CONNECT from
[174.37.3.121]:33695 to [216.23.247.74]:25
Jun 5 01:50:52 cardinal postfix/postscreen[15628]: PASS OLD
[174.37.3.121]:33695
Jun 5 01:50:52 cardinal postfix/smtpd[15816]: connect from
174.37.3.121-static.reverse.softlayer.com[174.37.3.121]
Jun 5 01:50:53 cardinal postfix/smtpd[15816]: NOQUEUE: reject: RCPT
from 174.37.3.121-static.reverse.softlayer.com[174.37.3.121]: 450
4.1.8 <apa...@forums.playdom.com>: Sender address rejected: Domain
not found; from=<apa...@forums.playdom.com> to=<f...@q.example.us>
proto=ESMTP helo=<tomcat205.playdom.com>
This thing has been badgering us for a few days, but I am not going
to let up on my reject_unknown_sender_domain restriction. And now for
the first time (that I know of) it is retrying at the mx2 IP address:
Jun 5 01:50:53 cardinal postfix/postscreen[15628]: CONNECT from
[174.37.3.121]:52927 to [216.23.247.78]:25
Jun 5 01:50:53 cardinal postfix/postscreen[15628]: WHITELIST VETO
[174.37.3.121]:52927
It was whitelisted 7 seconds ago. Could that have expired?
Jun 5 01:50:53 cardinal postfix/tlsproxy[15853]: CONNECT from
[174.37.3.121]:52927
Jun 5 01:50:53 cardinal postfix/postscreen[15628]: NOQUEUE: reject:
RCPT from [174.37.3.121]:52927: 450 4.3.2 Service currently
unavailable; from=<apa...@forums.playdom.com>,
to=<f...@q.example.us>, proto=ESMTP, helo=<tomcat205.playdom.com>
Jun 5 01:50:53 cardinal postfix/postscreen[15628]: DISCONNECT
[174.37.3.121]:52927
Jun 5 01:50:53 cardinal postfix/tlsproxy[15853]: DISCONNECT
[174.37.3.121]:52927
Jun 5 01:50:54 cardinal postfix/smtpd[15816]: disconnect from
174.37.3.121-static.reverse.softlayer.com[174.37.3.121]
Checking for first whitelisting:
rob0@cardinal:/var/log$ grep "PASS NEW \[174\.37\.3\.121\]:" maillog
rob0@cardinal:/var/log$ zgrep "PASS NEW \[174\.37\.3\.121\]:" maillog.1.gz
May 28 12:51:46 cardinal postfix/postscreen[25301]: PASS NEW
[174.37.3.121]:34539
Round up the usual suspects:
rob0@cardinal:~$ /usr/sbin/postconf mail_version
mail_version = 2.9-20110501
rob0@cardinal:~$ /usr/sbin/postconf -n
alias_database = $alias_maps
alias_maps = hash:$config_directory/aliases
append_dot_mydomain = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_privs = mailman
enable_long_queue_ids = yes
home_mailbox = Mail/
html_directory = /usr/doc/postfix/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = hash:$config_directory/mydestination
mydomain = $myhostname
myhostname = cardinal.lizella.net
mynetworks = 127.0.0.0/8, 192.168.0.0/20, 216.23.247.72/29
newaliases_path = /usr/bin/newaliases
owner_request_special = no
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3
b.barracudacentral.org*2
dnsbl.njabl.org*2
bl.spameatingmonkey.net*2
dnsbl.ahbl.org*2
bl.spamcop.net
dnsbl.sorbs.net
spamtrap.trblspam.com
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-4
list.dnswl.org=127.[0..255].[0..255].[2..255]*-6
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_whitelist_interfaces = 216.23.247.74/31 !216.23.247.72/29
static:all
queue_directory = /var/spool/postfix
readme_directory = /usr/doc/postfix/readme
recipient_delimiter = +
relay_clientcerts = hash:$config_directory/relay_clientcerts
relay_domains =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_CAfile = /etc/ssl/certs/cardinal.lizella.net.crt
smtp_tls_cert_file = /etc/ssl/certs/cardinal.lizella.net.crt
smtp_tls_key_file = /etc/ssl/private/cardinal.lizella.net.key.nopass
smtp_tls_policy_maps = hash:$config_directory/tls_policy
smtp_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining, accepted
smtpd_recipient_restrictions = common, relay_block, check_sender,
helo, check_rcpt, spamhaus
smtpd_reject_footer = See your own postmaster for help, or
http://nospam4.nodns4.us/ for more information about the policies of
this site.
smtpd_restriction_classes = common, dns, grey, helo, backscatter,
bounce bogosend, bogohelo, check_sender, relay_allow,
relay_block, rbls, spamhaus, spamcop, njabl, rhsbls, ahbl,
secsage, dbl check_rcpt, slackbuild, slamd64, fredemmott
slackwiki, rworkman, nodns, ctsmacon, whn sbu-loop, accepted
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/cardinal.lizella.net.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/cardinal.lizella.net.crt
smtpd_tls_key_file = /etc/ssl/private/cardinal.lizella.net.key.nopass
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:$config_directory/transport
virtual_alias_domains = hash:$config_directory/virtual_alias_domains
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = $virtual_uid_maps
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = hash:$config_directory/vmail_dom
virtual_mailbox_maps = hash:$config_directory/vmailbox
virtual_uid_maps = hash:$config_directory/vmail_uid
rob0@cardinal:~$ nocomment /etc/postfix/master.cf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_recipient_restrictions=relay_allow,reject
-o syslog_name=postfix-587
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
