I am seeing from our logs that clients attempting to send mail through
our system are being (correctly) rejected when listed on one of the
two RBL's we use, but this is happening even for clients NOT listed in
/etc/postfix/relay-ip. My concern is that we are using more overhead
than needed to lookup their RBL status when they should have been
rejected right off the bat. We are not an open relay, but do relay
from selected ip blocks for known hotspot operators.
Below is our config followed by a log entry indicating a mail that was
turned down for RBL although it's from an unlisted relay--ip.
Any hints on config tweaks to improve this type of setup most appreciated.
- Andrew
# postconf -n
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_recipient_limit = 50
default_process_limit = 10
disable_vrfy_command = yes
html_directory = no
local_recipient_maps =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8, /etc/postfix/relay-ip
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = mydomain.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_transport = smtp
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 30s
smtp_helo_timeout = 60s
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 50
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 50
smtpd_client_restrictions = permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_sender,
reject_invalid_hostname,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access hash:/etc/postfix/roleaccount,
reject_unknown_sender_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org
smtpd_sender_restrictions =
unknown_local_recipient_reject_code = 550
==============================
Jul 29 08:07:42 dev postfix/smtpd[13997]: connect from unknown[58.239.110.2]
Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from
unknown[58.239.110.2]: 554 Service unavailable; Client host
[58.239.110.2] blocked using bl.spamcop.net; Blocked ...
Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from
unknown[58.239.110.2]: 554 Service unavailable; Client host
[58.239.110.2] blocked using bl.spamcop.net; Blocked ...
