On 3/3/2014 11:46 AM, Ben Johnson wrote:
>
>> Yes, although if you're using any of the other smtpd_*_restrictions
>> sections you'll need to whitelist the sender there too.
>>
>
> This surprises me. Isn't the network blacklist check that is giving me
> problems for this particular sender being performed only for
> smtpd_recipient_restrictions?
You need to whitelist the the sender wherever they're being
rejected. That might be only smtpd_recipient_restrictions.
>
> Okay; in the example configuration change that you provide below, you
> recommend that I put check_sender_access within
> smtpd_recipient_restrictions. That makes sense.
>
> Should I be using check_sender_access with smtpd_sender_restrictions,
> too? Currently, I am, and I believe that ISPConfig (similar to Zimbra,
> etc.) created this initial configuration.
For the most part, any restriction is valid in any section[1],
although some make more sense in a particular place.
[1] assuming you use the default smtpd_delay_reject = yes. Don't
change that.
>
> Here's the full postconf -n output in case it's helpful in addressing
> any of my follow-up questions.
>
> Thanks again for all your help!
>
> alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
> alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
> append_dot_mydomain = no
> biff = no
> body_checks = regexp:/etc/postfix/body_checks
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> content_filter = amavis:[127.0.0.1]:10024
> header_checks = regexp:/etc/postfix/header_checks
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> mailbox_size_limit = 0
> message_size_limit = 0
Setting a message size limit of zero is generally unwise. Set a
high value you don't intend to exceed instead. Few mail systems
accept messages over 20MB or so.
I had an angry user one time because their mail kept failing. Turned
out it was a 3GB video.
> mime_header_checks = regexp:/etc/postfix/mime_header_checks
> mydestination = localhost, localhost.localdomain
> myhostname = mydomain.com
> mynetworks = 127.0.0.0/8 [::1]/128
> myorigin = /etc/mailname
> nested_header_checks = regexp:/etc/postfix/nested_header_checks
> owner_request_special = no
> proxy_read_maps = $local_recipient_maps $mydestination
> $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
> $virtual_mailbox_domains $relay_recipient_maps $relay_domains
> $canonical_maps $sender_canonical_maps $recipient_canonical_maps
> $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
> readme_directory = /usr/share/doc/postfix
> receive_override_options = no_address_mappings
> recipient_delimiter = +
> relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
> relay_recipient_maps =
> mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
> relayhost =
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_client_message_rate_limit = 100
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unknown_reverse_client_hostname,
> check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
OK.
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
OK.
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> check_recipient_access
> mysql:/etc/postfix/mysql-virtual_recipient.cf,reject_sender_login_mismatch,
Checking for sender login mismatch AFTER permit_mynetworks and
permit_sasl_authenticated won't protect against authorized users
forging the FROM of a different user. It will prevent external,
non-authenticated users from using a protected address.
Most folks put this as the first restriction under
smtpd_sender_restrictions, but you may have put it where it is
intentionally.
> reject_invalid_hostname, reject_non_fqdn_hostname,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
There shouldn't be non-fqdn recipients left after
reject_unauth_destination.
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unknown_recipient_domain doesn't do much good here. Since
this is after reject_unauth_destination, the only domains left are
your own. And in the case of a local DNS hiccup, you can reject
your own domain as "unknown".
This restriction, as well as reject_non_fqdn_recipient, if used, are
usually placed early in smtpd_sender_restrictions to prevent your
own users from sending out garbage.
> check_policy_service unix:private/policy-spf, check_policy_service
> inet:127.0.0.1:10023,
check_sender_access RBL whitelist goes here.
You indicated the unwanted rejection was from an RBL, and this is
the only place you have RBLs defined... so this is the only place
you need a whitelist.
> reject_rbl_client zen.spamhaus.org,
> reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = check_sender_access
> mysql:/etc/postfix/mysql-virtual_sender.cf
> smtpd_tls_cert_file = /root/ssl/postfix.mydomain.com.pem
> smtpd_tls_key_file = /root/ssl/mydomain.com.key
> smtpd_tls_loglevel = 0
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
smtpd_use_tls is deprecated and replaced by
smtpd_tls_security_level, which you already have set correctly to
"may". Probably best to remove this artifact.
> strict_rfc821_envelopes = yes
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/var/lib/mailman/data/transport-mailman,
> proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
> virtual_alias_domains =
> virtual_alias_maps =
> proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
> proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf,
> hash:/var/lib/mailman/data/virtual-mailman
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/vmail
> virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
> virtual_transport = dovecot
> virtual_uid_maps = static:5000
>
-- Noel Jones
