In your exceptions list, use ACCEPT or REJECT; DUNNO means "let something else decide" ...
Allen C On 08/09/17 09:36, Nikolaos Milas wrote: > Hello, > > I have tried to whitelist some servers for postscreen, but I notice that > they continue to get blocked if they are blacklisted. > > What I am doing wrong in whitelisting them? > > How can I successfully whitelist them so that they are not blocked even > if they are blacklisted in a RBL/RSBL? > > Here is a session with remote server 195.134.100.81 (ours is 62.217.124.2): > > Aug 31 11:14:01 mailgw3 postfix/postscreen[6476]: CONNECT from > [195.134.100.81]:50520 to [62.217.124.2]:25 > Aug 31 11:14:02 mailgw3 postfix/dnsblog[6328]: addr 195.134.100.81 > listed by domain b.barracudacentral.org as 127.0.0.2 > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DNSBL rank 2 for > [195.134.100.81]:50520 > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT > from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client > [195.134.100.81] blocked using b.barracudacentral.org; from=<>, > to=<gna...@noa.gr>, proto=SMTP, helo=<mta02.uoa.gr> > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: NOQUEUE: reject: RCPT > from [195.134.100.81]:50520: 550 5.7.1 Service unavailable; client > [195.134.100.81] blocked using b.barracudacentral.org; > from=<postmas...@noc.uoa.gr>, to=<gna...@noa.gr>, proto=SMTP, > helo=<mta02.uoa.gr> > Aug 31 11:14:07 mailgw3 postfix/postscreen[6476]: DISCONNECT > [195.134.100.81]:50520 > > My setup (on Postfix 2.11.0): > > # postconf -n > allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject > allowed_list2 = check_client_access > cidr:/etc/postfix/internalnetworks.cidr,reject > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = smtp-amavis:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin > xxgdb $daemon_directory/$process_name $process_id & sleep 5 > default_process_limit = 50 > disable_vrfy_command = yes > enable_long_queue_ids = yes > header_checks = pcre:/etc/postfix/blacklisted_maillists > html_directory = no > inet_interfaces = all > inet_protocols = ipv4, ipv6 > local_recipient_maps = > local_transport = error:local mail delivery is disabled > mail_name = NOA Mail Srv XAPITI XPICTOY > mail_owner = postfix > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 15728640 > mydestination = > mynetworks = 127.0.0.1/32 [::1]/128 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_exceptions.cidr > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, > psbl.surriel.com*2 > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = enforce > queue_directory = /var/spool/postfix > relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr, > space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr, hesperia-space.eu > relay_recipient_maps = > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_tls_security_level = may > smtpd_helo_required = yes > smtpd_recipient_restrictions = check_client_access > hash:/etc/postfix/amavis_bypass check_sender_access > hash:/etc/postfix/blacklisted_senders check_sender_access > pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient > reject_unauth_destination check_recipient_access > hash:/etc/postfix/protected_destinations permit_mynetworks > reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender > reject_unknown_sender_domain reject_non_fqdn_recipient > reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org > reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com > reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net > reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender > dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service > unix:postgrey/socket permit > smtpd_restriction_classes = allowed_list1,allowed_list2 > smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt > smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1365536.crt > smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128 > smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1365536.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = high > smtpd_tls_security_level = may > smtpd_tls_session_cache_timeout = 3600s > transport_maps = hash:/etc/postfix/transportmap > unknown_local_recipient_reject_code = 550 > unverified_sender_reject_code = 550 > virtual_alias_maps = hash:/etc/postfix/virtualmap > > and cidr:/etc/postfix/postscreen_exceptions.cidr is: > > 195.134.100.72 dunno > 195.134.100.69 dunno > 195.134.100.81 dunno > 195.134.100.119 dunno > > Please advise! > > Thanks a lot, > Nick > >
