-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Noel Jones wrote: > David Cottle wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> I have got RBL tests and I got a client on godaddy. Naturally their >> outgoing server (secureserver.net) is listed. I made changes to >> postfix >> but its still rejecting, here is the extract of the main.cf and the >> rules. >> >> I don't understand why its not working.. If I remove all the rbl >> checks >> the emails arrive.. >> >> Any ideas? >> >> Here is the configs that apply: >> >> smtpd_client_restrictions = check_client_access >> hash:/etc/postfix/whitelist, > > OK. > >> check_client_access >> hash:/etc/postfix/check_backscatterer, check_client_access >> hash:/etc/postfix/check_spamcannibal, > > The above two checks will never match anything. You need to use > check_sender_access, not check_client_access. > > Make sure you leave the default setting of > smtpd_delay_reject = yes > so postfix knows the sender when it does this check. > >> reject_rbl_client bl.spamcop.net, > > OK. > >> reject_rbl_client pbl.spamhaus.org, reject_rbl_client >> sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, > > You should drop all the above and use zen.spamhaus.org. > If you want to differentiate rejections, you can break them out by > the reject code. > >> reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client >> dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, > > UCEPROTECT will give you tons of false positives when used this > way. Better to use it in a scoring type system, such as > SpamAssassin or a scoring policy server. Or just don't use it at > all. Here, it gave so many false positives that it wasn't even > particularly useful for scoring. > >> reject_rbl_client 2.0.0.127.b.barracudacentral.org > > This will never match anything. Must be > reject_rbl_client b.barracudacentral.org > > if you're trying to limit rejects to a specific response code, the > syntax is > reject_rbl_client b.barracudacentral.org=127.0.0.2 > >> the /etc/postfix/whitelist file (yes its been mapped to .cf) >> >> k2smtpout01-01.prod.mesa1.secureserver.net OK >> k2smtpout02-01.prod.mesa1.secureserver.net OK >> k2smtpout03-01.prod.mesa1.secureserver.net OK >> k2smtpout04-01.prod.mesa1.secureserver.net OK >> k2smtpout05-01.prod.mesa1.secureserver.net OK >> k2smtpout06-01.prod.mesa1.secureserver.net OK > > you need only one entry. > > prod.mesa1.secureserver.net OK > > If you've changed the default setting of > parent_domain_matches_subdomains then use > > .prod.mesa1.secureserver.net OK > > http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains > http://www.postfix.org/access.5.html > > But whitelisting by name only works if postfix knows the client name. > >> Feb 9 09:36:55 server postfix/smtpd[26671]: connect from >> unknown[64.202.189.90] >> Feb 8 22:36:57 server postfix/smtpd[26671]: NOQUEUE: reject: RCPT >> from unknown[64.202.189.90]: 554 5.7.1 Service unavailable; Client >> host [64.202.189.90] blocked using dnsbl-1.uceprotect.net; IP >> 64.202.189.90 is UCEPROTECT-Level 1 listed. See >> http://www.uceprotect.net/rblcheck.php?ipr=64.202.189.90; >> from=<psa...@server.aussiefrogs.com> to=<dcot...@idb.com.au> >> proto=SMTP helo=<k2smtpout02-01.prod.mesa1.secureserver.net> >> Feb 8 22:36:57 server postfix/smtpd[26671]: disconnect from >> unknown[64.202.189.90] > > Ah, postfix does not know the client name. You'll need to whitelist > them by IP address. > > Hmmm. > % host 64.202.189.90 > 90.189.202.64.in-addr.arpa domain name pointer > k2smtpout02-01.prod.mesa1.secureserver.net. > % host k2smtpout02-01.prod.mesa1.secureserver.net. > k2smtpout02-01.prod.mesa1.secureserver.net has address 64.202.189.90 > > Looks as if your DNS is broken. If you DNS had been working, I > don't believe this would have been labeled "unknown". > > Does postfix label every client as "unknown"? > >> the check_backscatterer (also mapped) >> >> <> reject_rbl_client ips.backscatterer.org >> postmaster reject_rbl_client ips.backscatterer.org >> MAILER-DAEMON reject_rbl_client ips.backscatterer.org > > The postmaster and MAILER-DAEMON entries are unlikely to match > anything; remember you're checking the envelope sender, not a > header. I suppose some broken mailers could use the sender > postmas...@example.com or mailer-dae...@example.com; you would need > a regexp map to match those, and you won't see many of them. Ditto > for your spamcannibal map. > > Hi Noel,
Many thanks for your tips! I have not set smtpd_delay_reject anywhere, so the default value of yes applies. As for the check scripts, I changed them as you said, check_sender_access, not check_client_access: smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, check_sender_access hash:/etc/postfix/check_backscatterer, check_sender_access hash:/etc/postfix/check_spamcannibal, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org I would have used this but in the postfix documentation it never showed the use of check_sender_access in smtpd_client_restrictions So I assume this is correct now? As for the unknown, could selinux be stopping postfix from using the DNS? The DNS works as it serves out the DNS for the hosted domains. Feb 9 22:31:55 server postfix/smtpd[25015]: connect from unknown[189.6.3.109] Yet I do a prompt from the server and reverse lookup the IP I get the name.. Thanks! David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmQsCYACgkQi1lOcz5YUMi0WgCfdbC39w6uaOEO34vurvSHFRyT 010AoKZiNMMM1Udh/cYJmp3rkkU8elb8 =9IBj -----END PGP SIGNATURE-----
begin:vcard fn:David Cottle n:Cottle;David email;internet:webmas...@aus-city.com title:Webmaster version:2.1 end:vcard
