On 4/26/2012 10:37 AM, Jim Reid wrote: > Hi. There must be a glaringly obvious solution to my problem that I > can't see for looking at it. Can anyone help? > > A few "trusted" senders have trouble getting past my server's > vicious anti-spam defences. Sometimes their mail is sent over IPv6 > from a source address that has no reverse DNS entry. For others, > their connections come from blacklisted IPv4 addresses: for instance > one of hotmail's outbound SMTP engines. This results in false > positives for these senders and their inbound mail getting rejected. > Sigh. The senders can't do anything about the naughty addresses > their mail might get sent from, so I need to tweak my postfix setup > somehow to let their mail through yet keep the spammers out. > > My thought was to set up an access map to allow incoming mail from > these approved sender addresses. ie If the sending address in the > SMTP envelope was in some list of trusted senders, accept the > incoming mail. [Yes, I know MAIL FROM can be trivially forged but > can live with that. Security through obscurity for these trusted > addresses should be good enough to keep the spammers away.] However, > when a hit is made against this access map, the remaining > smtpd_*_restrictions still get checked. That means the inbound mail > gets rejected because the connection is from a dodgy IP address even > though the sender's SMTP envelope is supposedly trusted. > > What have I missed? Is there some way to bypass the reverse DNS and > RBL checks for trusted SMTP envelopes or would that involve doing > some sort of before queue filtering (with postcreen)? > > Here are the relevant snippets of my configuration: >
Your "okclients" list contains sender addresses, not clients. I suggest renaming it to oksenders to prevent confusion. > smtpd_client_restrictions = permit_mynetworks > check_client_access hash:/etc/postfix/okclients This must be check_sender_access hash:/etc/postfix/oksenders > reject_rbl_client zen.spamhaus.org > reject_unknown_client_hostname > permit > > smtpd_recipient_restrictions = permit_mynetworks > check_recipient_access hash:/etc/postfix/okclients You *MUST* remove this. http://www.postfix.org/SMTPD_ACCESS_README.html#danger > reject_non_fqdn_sender > reject_non_fqdn_recipient > reject_unknown_recipient_domain Typically, you would have here: permit_mynetworks > reject_unauth_destination Put here: check_sender_access hash:/etc/postfix/oksenders > reject_unauth_pipelining > > And in okclients, there are entries like: > > trus...@example.com OK > > If someone can apply clue, I'd be grateful. > -- Noel Jones
