[pfx] Re: Blocked Sender

Sun, 26 Mar 2023 16:24:15 -0700 

On Sun, Mar 26, 2023 at 04:10:57PM -0700, Doug Hardie via Postfix-users wrote:

> > The suggested inline:{{key = value}} replacement will work if
> > implemented correctly.
> 
> Mar 26 15:42:30 mail postfix/smtpd[15243]: NOQUEUE: reject:
>   RCPT from mx4.messageprovider.com[156.55.193.213]: 450 4.1.8
>   <nore...@digitalinsight.firefightersfirstcreditunion.org>:
>   Sender address rejected: Domain not found;
>   from=<nore...@digitalinsight.firefightersfirstcreditunion.org>
>   to=<a...@beneke.us> proto=ESMTP helo=<mx4.messageprovider.com>

That's more like it.

> incoming_smtpd_restrictions =
>   check_policy_service inet:127.0.0.1:10040,
>   reject_invalid_hostname, reject_non_fqdn_sender,
>   reject_non_fqdn_recipient,
>   check_sender_access hash:/usr/local/etc/postfix/access,
>   reject_unknown_sender_domain,
>   ...

Well, this does not have the "inline:{{...}}" guard.

> >    incoming_smtpd_restrictions =
> >            check_policy_service inet:127.0.0.1:10040,
> >            reject_invalid_hostname,
> >            reject_non_fqdn_sender,
> >            reject_non_fqdn_recipient,
> >            check_sender_access inline:{
> >                {digitalinsight.firefightersfirstcreditunion.org = 
> > permit_auth_destination}
> >            },
> >            reject_unknown_sender_domain,

As shown above.

> https://www.postfix.org/access.5.html
> 
> EXAMPLE
> The following example uses an indexed file, so that the order of table
> entries does not matter. The example permits access by the client at
                                                             ------
> address 1.2.3.4 but rejects all other clients in 1.2.3.0/24.
> 
> /etc/postfix/main.cf:
> smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
> 
> >> #       Firefighters CU has missing DNS
> >> 156.55.193.213          OK

Already explained why this failed.

> > Perhaps you meant to instead use:
> > 
> >    check_client_access hash:/usr/local/etc/postfix/access
> 
> You are right.  I missed that.

You can now either whitelist the client IP, or the exclude the domain
name from tests of DNS existence.  Use whatever you think is most
manageable (I'd go with exempting the name).

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to