Re: RBL checks seem to be failing

Mon, 21 Jul 2014 09:21:17 -0700 

On Mon, Jul 21, 2014 at 5:51 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 7/21/2014 10:34 AM, Thijssen wrote:

>> smtpd_recipient_restrictions =
>>     reject_invalid_hostname,
>>     reject_unknown_recipient_domain,
>>     reject_unauth_pipelining,
>>      permit_mynetworks,
>>      permit_sasl_authenticated,
>>      check_client_access hash:/etc/postfix/whitelist,
>
> Danger! any client you OK in this whitelist also gets relay
> permission.  This should be below reject_unauth_destination.
>
> If this is a list of clients you intend to give relay access to, it
> should be renamed to make its function clear to prevent accidents --
> maybe relay_clients.
>
>>     reject_unauth_destination,
>
> Ok, now rejecting unauth destinations.
>
>>     reject_non_fqdn_recipient,
>>     reject_non_fqdn_sender,
>>     reject_unknown_sender_domain,
>>      permit_auth_destination,
>
> And here you permit auth destinations.  There's no mail left after
> this; none of the rules below will ever fire.

Thanks Noel! Been puzzling for this quite a while. I think I also
finally understand the reject-permit process, this just woke me up on
that.

I changed it to:

smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
     permit_mynetworks,
     permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_recipient,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
     check_client_access hash:/etc/postfix/whitelist,
     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1,
     permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.5,
    reject_rbl_client badconf.rhsbl.sorbs.net,
    reject_rbl_client new.spam.dnsbl.sorbs.net,
    reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
    reject_rbl_client b.barracudacentral.org,
    reject_rbl_client all.s5h.net,
    reject_rbl_client bl.blocklist.de,
    reject_rbl_client dnsbl.inps.de,
    reject_rbl_client ubl.unsubscore.com,
    reject_rbl_client virbl.dnsbl.bit.nl,
    reject_rbl_client mail-abuse.blacklist.jippg.org,
     permit

Thanks again, the blocked spam is appearing in the logs immediately
after a reload.

Julius

Reply via email to