On Wed, 17 Nov 2010 21:10:09 +0100, Ralf Hildebrandt wrote: > * vr : >> >> I have a sender from a web hosting company who is not able to send to >> one of my users. The log entry looks like this: >> >> Nov 16 10:50:57 smtp postfix/smtpd[15063]: NOQUEUE: reject: RCPT from >> ip67-89-97-251.z97-89-67.customer.algx.net[67.89.97.251]: 554 5.7.1 >> <ip67-89-97-251.z97-89-67.customer.algx.net[67.89.97.251]>: Client >> host rejected: Access denied; >> from=<prvs=1936c65064=sen...@senderdomain.tld> >> to=<myu...@mydomain.tld> proto=ESMTP helo=<tigsnet.com> > > Why are you rejecting the client? >
They (algx.net, XO Communications) have an established history with us sending SPAM to our users. >> I have "sen...@senderdomain.tld" in my whitelist (ok_by_email_hash) >> but this sender still rejecting. > > Of course! The sender is NOT sen...@senderdomain.tld > It's prvs=1936c65064=sen...@senderdomain.tld > > Which is something different > >> How do things like "prvs=1936c65064=" preceding a recipients email >> address affect this > > They make the sender address different from what you check is checking > for. > >> and how can I successfully permit that sender without re-working the >> postfix configuration drastically? > > a) Don't block the client > b) Allow that particular client > c) Change the whitelist to use regexp instead: > > /^(prvs=[0-9a-f]+=)?sen...@senderdomain\.tld$/ OK > > This allows both > prvs=...=sen...@senderdomain.tld > and > sen...@senderdomain.tld > Is there a way, maybe within a hash, to include all characters to the left of a portion of an email address? I'm starting to see some distribution lists using random strings of characters and I'd prefer to stay away from authoring regular expressions, regularly. >> smtpd_banner = Ready > You shouldn't do that. The default banner announces ESMTP, yours > should too! > Ok. Changed to "ESMTP ready" >> smtpd_recipient_restrictions = >> permit_mynetworks >> reject_unauth_destination > > check_sender_access regexp:/etc/postfix/ok_by_email.regexp > >> check_sender_access hash:/etc/postfix/ok_by_email_hash >> check_sender_access hash:/etc/postfix/ok_by_domain_hash >> check_sender_access hash:/etc/postfix/access_hash >> check_client_access hash:/etc/postfix/ok_by_domain_hash >> check_client_access hash:/etc/postfix/access_hash >> warn_if_reject check_client_access hash:/etc/postfix/reject_by_ip_hash >> check_helo_access hash:/etc/postfix/ok_by_domain_hash >> check_helo_access hash:/etc/postfix/access_hash > > You're using this for both check_sender_access AND check_helo_access - > this might not be useful > >> check_client_access regexp:/etc/postfix/access_regexp >> check_recipient_access hash:/etc/postfix/reject_by_recipient_hash >> reject_unknown_reverse_client_hostname >> reject_unknown_client_hostname >> reject_non_fqdn_helo_hostname >> reject_invalid_helo_hostname >> reject_unknown_sender_domain >> reject_rbl_client dnsbl-1.uceprotect.net >> reject_rbl_client dnsbl-2.uceprotect.net
