Re: Bypass postscreen

Thu, 15 Jul 2021 03:56:43 -0700 

Doug Hardie:

I have a postfix server that uses postscreen.  However, occasionally
a needed mail is blocked by one of the spam services.  Is there a
way to bypass postscreen for just one or more specific addresses
for a short time?



On 12 July 2021, at 18:27, Wietse Venema <wie...@porcupine.org> wrote:
http://www.postfix.org/postconf.5.html#postscreen_access_list
http://www.postfix.org/POSTSCREEN_README.html#quick



Doug Hardie:

I went through those earlier.  I have configured:

postscreen_access_list = permit_mynetworks,
       cidr:/usr/local/etc/postfix/access.cidr



On 14 July 2021, at 06:12, Wietse Venema <wie...@porcupine.org> wrote:
You also need to set postscreen_denylist_action (or 
postscreen_blacklist_action).


On 14.07.21 15:56, Doug Hardie wrote:

Perhaps I am a bit confused.  The web page says:

To use the postscreen(8) service to block mail, edit main.cf and specify one or 
more of:

        • "postscreen_dnsbl_action = enforce", to reject clients that are on 
DNS blocklists, and to log the helo/sender/recipient information. With good DNSBLs this 
reduces the amount of load on Postfix SMTP servers dramatically.

        • "postscreen_greet_action = enforce", to reject clients that talk 
before their turn, and to log the helo/sender/recipient information. This stops over half 
of all known-to-be illegitimate connections to Wietse's mail server. It is backup 
protection for zombies that haven't yet been denylisted.

I have both of those set to enforce.  Here is the complete postscreen section 
of main.cf:

#       postscreen spam filtering
postscreen_greet_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = bl.spamcop.net zen.spamhaus.org b.barracudacentral.org
postscreen_access_list = permit_mynetworks,
       cidr:/usr/local/etc/postfix/access.cidr
#

That seems to work as I see numerous spam being blocked by those dnsbl sites.  
Am I missing something?


postscreen_denylist_action/postscreen_blacklist_action is needed if you want
postscreen to refuse connections from IPs marked in your 
/usr/local/etc/postfix/access.cidr
as "reject".

since you only need to allow specific IPs, you apparently don't need that.
I'd would set it anyway - to avoid wondering if you put "reject" there why
it doesn't work.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.






















					Reply via email to