Am Freitag, den 15.11.2019, 12:54 -0600 schrieb Noel Jones: > On 11/15/2019 11:58 AM, Robert Senger wrote: > > Hi all, > > > > I am having some trouble with filtering incoming mail. First, I do > > not > > understand certain "access denied" actions. Second, I cannot get > > filtering by sender domain to work correctly. > > > > Relevant configuration snippets see below. > > > > 1. "access denied" actions > > [...] > > > Looks like this is a REJECT in a check_recipient_access table. > Access denied; is a reject from a smtpd access table. Recipient > address rejected; tells us it's a check_recipient_access table. > I reordered things and reviewed access tables, will check logs if that issue is gone now.
> > 2. Filtering by sender domain not working > > > > [...] > I would strongly recommend using REJECT instead of an explicit 5xx > code in access maps to prevent accidents. If the intention is to > differentiate log lines, add a comment after the REJECT. See the > "Accept Actions" section of: > http://www.postfix.org/access.5.html Done that. > > root@prokyon:/etc/postfix# cat sender_access > > newslet...@info.sxxt.de 550 Blacklisted > > > > root@prokyon:/etc/postfix# cat client_access > > debian.org OK > > > > root@prokyon:/etc/postfix# cat helo_access > > maxx.maxx.shmoo.com OK > Be aware that whitelisting by helo name is insecure. Helo names are > easily and frequently forged. I've added these whitelists several years ago, for whatever reason I do not remember, removed now. > > > > > Smtp configuration: > > > > master.cf (snippet): > > Is there some good reason you've put all this in master.cf instead > of main.cf like everyone else? This can make postfix harder to > debug by having (possibly conflicting) settings in multiple files. > > Check what postfix sees by using "postconf -nf" and "postconf -Mf" I don't remember exactly why. At first, I found it confusing having stuff in main.cf and other in master.cf that belong together (milters, policy services). Second, I think years ago I had trouble with milters/policy services that should be active on smtp, but not on submission or vice versa, so I moved everything to master.cf to have it strictly separate for smtp, smtps and submission. I do not have any options present in both main.cf and master.cf that could conflict. Don't know what is best practice here. Thanks for the help, sender_access now seems to work (tested once). The "access denied" issue needs some more time investigation. Robert -- Robert Senger
