BTW, regarding the apology, thanks. It wasn't my thread, but indeed all of us who use threaded mail readers are affected by "thread hijacking."
Now a few comments about your config, one of which is a serious problem ... On Thu, Mar 31, 2016 at 01:32:02PM -0400, John Allen wrote: > As I expect local user to use submission for sending (as a result > mynetworks is 127.0.0.1 & ::1/128) do I need specify > postscreen_access_list? I use that to whitelist one site (affiliated with us) and to block certain undesirable ESP services. > As postscreen does dnsbl lookups do I still need the > reject_rbl_client entries in smtpd_recipient_restrictions? Do the > latter entries do more than the dnsbl entries? Postscreen is a scoring system; reject_rbl_client is outright rejection for a DNSBL hit. It does not hurt to leave them in if you're sure you don't want any mail from any host on that list. I keep a "reject_rbl_client zen.spamhaus.org" in my restrictions, and then I have an insanely complex mess of restriction classes which might call other DNSBLs based on recipient domain. > My postscreen setup would be something like: > > # postscreen_access_list = permit_mynetworks #### do I need this I have a cidr: lookup there. > postscreen_bare_newline_action = enforce > postscreen_bare_newline_enable = yes Wietse covered this also: maybe premature on enabling this? > postscreen_blacklist_action = drop > postscreen_dnsbl_threshold = 3 > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*3 > bl.spameatingmonkey.net*2 > bl.ipv6.spameatingmonkey.net*2 > dnsbl.ahbl.org*2 BZZZZZZZZZZZZZZZZ! No! Absolutely not!! AHBL is closed and now lists the entire IPv4 Internet space. BTW I updated my HOWTO, but you seem to be using the old version. New version is here: http://rob0.nodns4.us/postscreen.html "... Last updated: 2016-01-16 Last changes: updated for Postfix 2.11+, removed AHBL. The previous version of this document, which did NOT require Postfix 2.11+, can be seen here: postscreen-old.html, with AHBL left intact! (Let this serve as a lesson to those who follow online howto documents without reading and understanding them.) " > bl.spamcop.net > dnsbl.sorbs.net > swl.spamhaus.org*-4 Spamhaus SWL does not list very many hosts. I really do recommend DNSWL.org (and use it for bypassing the after-220 tests with "postscreen_dnsbl_whitelist_threshold=-1". > smtpd_recipient_restrictions = reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, The first two are deprecated syntax, *_helo_hostname > reject_non_fqdn_recipient, > reject_unknown_sender_domain, reject_unknown_recipient_domain, > reject_unauth_destination, reject_unknown_reverse_client_hostname, > check_recipient_access pcre:/etc/postfix/maps/recipient_checks.pcre, > check_recipient_access hash:/etc/postfix/maps/recipient_checks, > check_helo_access pcre:/etc/postfix/maps/helo_checks.pcre, > check_sender_access hash:/etc/postfix/maps/sender_checks, > check_policy_service inet:127.0.0.1:10023, reject_rbl_client > zen.spamhaus.org, reject_rbl_client bl.spamcop.net I wouldn't reject on Spamcop. It's an automated list, and the Spamcop folks will tell you it's best when used in a scoring system. Your mail, so it's up to you, of course. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
