I am seeing from our logs that clients attempting to send mail through our system are being (correctly) rejected when listed on one of the two RBL's we use, but this is happening even for clients NOT listed in /etc/postfix/relay-ip. My concern is that we are using more overhead than needed to lookup their RBL status when they should have been rejected right off the bat. We are not an open relay, but do relay from selected ip blocks for known hotspot operators.
Below is our config followed by a log entry indicating a mail that was turned down for RBL although it's from an unlisted relay--ip. Any hints on config tweaks to improve this type of setup most appreciated. - Andrew # postconf -n alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_destination_recipient_limit = 50 default_process_limit = 10 disable_vrfy_command = yes html_directory = no local_recipient_maps = mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydomain = mydomain.com myhostname = mail.mydomain.com mynetworks = 127.0.0.0/8, /etc/postfix/relay-ip newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES relay_domains = mydomain.com relay_recipient_maps = hash:/etc/postfix/relay_recipients relay_transport = smtp sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_connect_timeout = 30s smtp_helo_timeout = 60s smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_connection_count_limit = 50 smtpd_client_connection_rate_limit = 50 smtpd_client_event_limit_exceptions = 127.0.0.0/8 smtpd_client_message_rate_limit = 50 smtpd_client_recipient_rate_limit = 50 smtpd_client_restrictions = permit_mynetworks smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_sender, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/roleaccount, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org smtpd_sender_restrictions = unknown_local_recipient_reject_code = 550 ============================== Jul 29 08:07:42 dev postfix/smtpd[13997]: connect from unknown[58.239.110.2] Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from unknown[58.239.110.2]: 554 Service unavailable; Client host [58.239.110.2] blocked using bl.spamcop.net; Blocked ... Jul 29 08:07:44 dev postfix/smtpd[13997]: NOQUEUE: reject: RCPT from unknown[58.239.110.2]: 554 Service unavailable; Client host [58.239.110.2] blocked using bl.spamcop.net; Blocked ...