[please don't top post. Either post at the bottom or in-line after the text you refer to]
On 9/29/2011 2:21 PM, Kaleb Hosie wrote: > The intended purpose of this server is to receive email for a number of > domains, filter for SPAM and than send the clean email onto our clients mail > servers. In this circumstance, do you still feel that I should remove the > "permit_auth_destination" option? Yes. permit_auth_destination is rarely correctly used; you don't need it. You also don't need the dangling "permit" at the end. Here's basic documentation on what you describe: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > My configuration is as follows: > mydestination = Ok. > myhostname = spam01.nicanada.com > mynetworks = 172.23.23.0/24 172.23.25.0/24 127.0.0.0/8 Ok. > relay_domains = hash:/etc/postfix/relay_domains I assume relay_domains is a list of the domains you accept mail for and deliver to the client's server; that's what it should be anyway. Valid users must be listed in relay_recipient_maps so you don't become a backscatter source, clogging your queue with undeliverable mail and getting yourself blacklisted. If you can't get a list of valid recipients, see http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > smtpd_recipient_restrictions = reject_non_fqdn_sender, > reject_unknown_recipient_domain, reject_unauth_pipelining, > reject_non_fqdn_recipient, reject_rbl_client sbl.spamhaus.org, > reject_rbl_client xbl.spamhaus.org, permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, permit_auth_destination, > permit Your settings are non-optimal, but should "work". Some notes: To prevent rejecting your own clients, use something like: smtpd_recipient_restrictions = reject_non_fqdn_sender reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org You can add other postfix restrictions to the end of the list, such as reject_unknown_reverse_client_hostname, but nothing else is needed. You should use zen.spamhaus.org rather than querying sbl and xbl separately. Does spamhaus work for you? Try the test address by typing: # host 2.0.0.127.zen.spamhaus.org and the response should be: 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 Any other response suggests that spamhaus is blacklisting you due to excessive queries. This is particularly likely if you're using your ISP's DNS server rather than running your own. If spamhaus is blocking you, IMHO they are well worth the price of a subscription, or worth the minor effort to set up your own DNS server. If the test query passes, then show log entries of clients you think should have been blocked. -- Noel Jones
