On Tue, Mar 20, 2012 at 05:28:43PM +0100, Nicolas Kovacs wrote: > I've just setup a basic - and working - mail server on Debian > Squeeze, using Postfix and Dovecot. > > I've installed policyd-weight for basic spam filtering. Since the > defaults are quite restrictive, I thought I'd try with a bit of > additional whitelisting. > > I tried a first rejected mail, read the logs and edited > /etc/postfix/whitelist accordingly: > > # /etc/postfix/whitelist > smtp-152-tuesday.nerim.net OK > 194.79.134.152 OK > > And then: > > # postmap whitelist > > The relevant stanza in main.cf looks like this: > > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > check_client_access hash:/etc/postfix/whitelist,
Style tip: I always give mapfiles more descriptive names than that. You're using this as a client whitelist, so I would call it "client_whitelist". > check_policy_service inet:127.0.0.1:12525 > smtpd_helo_required = yes > > This first problem resolved fine, and the initially refused mail > can go through now. > > But I'm facing another problem with a message from Hotmail, which > gets rejected over and over. > > Here's what the log looks like: > > # grep policyd /var/log/mail.log > ... > Mar 20 17:09:27 sd-25854 postfix/policyd-weight[4905]: weighted > check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 > NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25 CL_IP_NE_HELO=5.75 > RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .hotmail. - helo: > .dub0-omc2-s26.dub0.hotmail. - helo-domain: .hotmail.) > MAIL_SEEMS_FORGED=2.5; <client=157.55.1.165> > <helo=dub0-omc2-s26.dub0.hotmail.com> <from=kikino...@hotmail.com> > <to=kikino...@radionovak.com>; rate: 9.5 I'd consider this a policyd-weight bug or misconfiguration. The "CL_IP_NE_HELO=5.75" score seems high. And what is this: "IN_IPv6_RBL=4.25"? I don't see how a hotmail.com sender from a *.hotmail.com client hits "MAIL_SEEMS_FORGED=2.5". > Mar 20 17:09:27 sd-25854 postfix/policyd-weight[4905]: decided > action=550 Mail appeared to be SPAM or forged. Ask your > Mail/DNS-Administrator to correct HELO and DNS MX settings or to > get removed from DNSBLs; MTA helo: dub0-omc2-s26.dub0.hotmail.com, > MTA hostname: unknown[157.55.1.165] (helo/hostname mismatch); > <client=157.55.1.165> <helo=dub0-omc2-s26.dub0.hotmail.com> It's also a hotmail problem. Host 165.1.55.157.in-addr.arpa. not found: 3(NXDOMAIN) Their nameservers are answering NXDOMAIN ... broken or clueless. > <from=kikino...@hotmail.com> <to=kikino...@radionovak.com>; delay: > 1s ... > > Now I tried to add this to /etc/postfix/whitelist: > > # /etc/postfix/whitelist > smtp-152-tuesday.nerim.net OK > 194.79.134.152 OK > hotmail.com OK > > ... but messages from Hotmail still get rejected. I think some of their outbound clients might have *.msn.com reverse DNS names ... that is, when their reverse DNS was working. Since it is not working, there is no "hotmail.com" name being looked up in your client access map. > Which leaves me clueless. Any suggestions? Yes. First, review this list's posting guidelines. In general we'd want to see Postfix logs here, not policyd-weight's, and "postconf -n" output is strongly preferred over main.cf excerpts. http://www.postfix.org/DEBUG_README.html#mail Second, there are better solutions to this problem: http://www.postfix.org/postconf.5.html#permit_dnswl_client 165.1.55.157.list.dnswl.org. 43200 IN TXT "hotmail.com http://www.dnswl.org/s?s=2788"; 165.1.55.157.list.dnswl.org. 43200 IN A 127.0.5.0 This feature is available with Postfix 2.8 and later. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
