I queried the log using the message id and here is what I have: Jan 7 13:24:50 hasna postfix/smtpd[83149]: A6455AE141: client=24-51-13-81.pittpa.adelphia.net[24.51.13.81] Jan 7 13:24:51 hasna postfix/cleanup[83165]: A6455AE141: message-id=<[EMAIL PROTECTED]> Jan 7 13:24:51 hasna postfix/nqmgr[70022]: A6455AE141: from=<[EMAIL PROTECTED]>, size=3667, nrcpt=1 (queue active) Jan 7 13:24:51 hasna postfix/smtp[83122]: A6455AE141: to=<[EMAIL PROTECTED]>, relay=208.187.144.75[208.187.144.75], delay=1, status=sent (250 Message queued) Jan 7 13:24:51 hasna postfix/nqmgr[70022]: A6455AE141: removed
It clearly looks like postfix accepted this email from an IP that is listed in several RBLs that I use, here is a snip from my main.cf: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, hash:/etc/postfix/to_recipients_bw.map, reject_unknown_sender_domain, permit_mynetworks, reject_unauth_destination, check_helo_access hash:/etc/postfix/helo_hostnames.map, check_client_access hash:/etc/postfix/mta_clients_bw.map, check_sender_access regexp:/etc/postfix/from_senders.regexp, check_sender_access hash:/etc/postfix/from_senders_bw.map, check_sender_access hash:/etc/postfix/from_senders_mybogus.map, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client list.dsbl.org, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client spam.dnsbl.sorbs.net, reject_rbl_client korea.services.net, reject_rbl_client dynablock.njabl.org, reject_rbl_client spamguard.leadmon.net, reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client socks.dnsbl.sorbs.net, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_unverified_sender, reject_unverified_recipient, permit Could I be whitelisting the account ([EMAIL PROTECTED]) which received this spam som where ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Len Conrad Sent: Thursday, January 08, 2004 1:32 AM To: [EMAIL PROTECTED] Subject: [IMGate] Re: Weird behavior with RBLs >I am not sure what you are referring to, I just did "egrep "24.51.13.81" >/var/log/maillog" to try to find out why this particular IP is passing = >the RBLs and those are the results that showed up. ok, that means there were no rejects for those IPs, but that doesn't mean that postfix accepted messages from those IPs. If you were running 4tuple filter, your same egrep would have pulled up 4tuple records with those IPs but only if postfix accepted msgs. >I'm assuming Postfix smtpd did accept those messages since they showed = >up in >my inbox which is behind my IMGATE machine that uses those RBLs that = >have >the mentioned IP. then you should be able to grep for the postfix msg ID to see all the log lines of the processes that handled the msg. It would be very strange if postfix accepted a msg from IP that was in several RBLs (assuming this IPs were whitelisted before the RBL checks). Len
