On 2/11/2013 4:00 AM, Fabio Sangiovanni wrote: > Noel Jones <njones <at> megan.vbhcs.org> writes: > >> Seems like the easiest solution is to put permit_sasl_authenticated >> BEFORE reject_rbl_client. Then no whitelisting is needed. >> >> -- Noel Jones > > Hi, thanks for your answer. > Yes, that would be useful, except for malware that steals your credentials, > and that would be otherwise (hopefully) blocked against lists such as > Spamhaus XBL. Is it correct? > I prefer Victor's solution for this reason... > > Thanks again, > Fabio >
Your method of manually whitelisting any IP that happens to be spamhaus listed doesn't scale very well. Every time some authorized user travels somewhere, stops at a wifi hotspot, or their home IP changes, will need to call you to get whitelisted before they can send mail. This might be OK if you have only a handful of users and neither you nor they mind a phone call every time they can't send mail. A more typical solution is to allow authorized users to send mail from wherever they happen to be, and use rate limits on postfix via postfwd or similar to alert you to a possibly compromised account. -- Noel Jones
