On Mon, 18 Nov 2019, Matus UHLAR - fantomas wrote:
On 18.11.19 10:12, Bernardo Reino wrote:
My plan is/was to use only one blacklist (zen, IP-based) during postscreen
but then have the option of using other blacklists (dbl, zrd) at smtpd
time.
I moved all blacklist filtering from smtpd to postscreen, because postscreen
can weigh blacklists, so I considered it more safe.
e.g. if something is whitelisted in dnswl, and blacklisted in zen, it's
allowed, but if it's blacklisted in zen and in other BL, it's denied even if
in dnswl...
Thus I avoid many false-positives.
Now I only run rhsbl checks in smtpd (postscreen can't do that).
My plan is also to use ip-based bl[ao]cklists with postscreen, and RHSBL
in smtpd, once I know things are working OK (but I'm 99% this is the case
:)
I have now done it with:
rbl_reply_maps = texthash:/etc/postfix/dnsbl_reply_smtpd
where that file has lines like:
$KEY.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable;
$rbl_class [$rbl_what] blocked
where $KEY is my key, and the LHS of that line is exactly as it looks in
reject_rhsbl_reverse_client (to give an example).
Seems to work (meaning: postfix hasn't complained, and I continue to
receive mail :), but given the little traffic I have I wanted an "offline
verification" that this is the right way to do this.
I think key should be separated from value by tab, not '='.
anything in the logs yet?
The "=" is part of the blacklist definition, i.e.
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_rbl_client $KEY.zen.dq.spamhaus.net=127.0.0.[2..255],
check_client_access pcre:/etc/postfix/client_access.pcre
(I'm aware that this, (which is what I currently have in main.cf) doesn't
match with the example I quoted above of my reply map, which contains
other entries (dbl, zrd) in case I add them to my recipient restrictions
later).
AFAIK the domain, including (if present) the IP regex should be present on
the left hand side of the rbl_reply_maps.
Cheers and thanks again for you reply.
