As you have suggested, so I have done. For each of these, I have added
the whitelist.cf and shortcircuit.cf files via check_sender_access as
the /first thing/ these checks do so that domains on the whitelist are
shortcircuited and routed without prejudice.
smtpd_helo_restrictions = check_sender_access
mysql:/etc/postfix/whitelist.cf,
check_sender_access mysql:/etc/postfix/shortcircuit.cf,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
smtpd_recipient_restrictions = check_sender_access
mysql:/etc/postfix/whitelist.cf,
check_sender_access mysql:/etc/postfix/shortcircuit.cf,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit_mynetworks,
permit_sasl_authenticated,
permit
smtpd_client_restrictions = check_sender_access
mysql:/etc/postfix/whitelist.cf,
check_sender_access
mysql:/etc/postfix/shortcircuit.cf,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client dnsrbl.org,
reject_rbl_client bad.psky.me,
check_sender_access mysql:/etc/postfix/blacklist.cf
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
On 11/28/2016 11:55 PM, Noel Jones wrote:
> Don't forget to put your shortcircuit.cf in smtpd_{helo, sender,
> recipient, data}_restrictions.
>
> Or even better, to prevent any unintentional open relay have your
> shortcircuit.cf return "permit_auth_destination" rather than simply OK.
>
>
> -- Noel Jones
>
>
> On 11/28/2016 9:22 PM, Michael Munger wrote:
>> Good timing. I was just trying to figure out why a domain on the
>> whitelist was still caught by an rbl when you sent this. Thank you.
>>
>> To fix the issue, I have added an additional check_sender_access
>>
>> smtpd_client_restrictions = check_sender_access
>> mysql:/etc/postfix/whitelist.cf,
>> check_sender_access
>> mysql:/etc/postfix/shortcircuit.cf,
>> reject_rbl_client dnsbl.sorbs.net,
>> reject_rbl_client b.barracudacentral.org,
>> reject_rbl_client cbl.abuseat.org,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client dnsbl-1.uceprotect.net,
>> reject_rbl_client dnsrbl.org,
>> reject_rbl_client bad.psky.me,
>> check_sender_access
>> mysql:/etc/postfix/blacklist.cf
>>
>> Contents of shortcircuit.cf:
>>
>> user = postfix
>> password = foopass
>> dbname = postfix
>> query = SELECT 'OK' AS whitelist_action FROM whitelist WHERE
>> whitelist_domain = '%s'
>> hosts = 127.0.0.1
>>
>> Michael Munger, dCAP, MCPS, MCNPS, MBSS
>> High Powered Help, Inc.
>> Microsoft Certified Professional
>> Microsoft Certified Small Business Specialist
>> Digium Certified Asterisk Professional
>> mich...@highpoweredhelp.com
>> On 11/28/2016 10:12 PM, Noel Jones wrote:
>>> On 11/28/2016 8:14 PM, Michael Munger wrote:
>>>
>>> ...
>>>> we simply changed the action
>>>> from "OK" to "FILTER relay:192.168.10.81". This means that inbound
>>>> mail, once it is discovered to be on a whitelist, is immediately
>>>> relayed to our Exchange server.
>>> No, the mail is not immediately relayed. It goes through the rest of
>>> the configured restrictions, is queued, and is then relayed to the
>>> next-hop specified by your FILTER statement. Of particular interest
>>> is that FILTER -- similar to DUNNO -- does not skip further checking
>>> such as rbl lookups or hostname restrictions.
>>>
>>> To both set the next-hop AND skip further postfix restriction
>>> processing, you need two check_sender_access tables; the first to
>>> return FILTER and the second to return OK to skip further checks.
>>>
>>>
>>>
>>> -- Noel Jones
