On 8/4/2013 9:54 PM, Noel Jones wrote: > On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote: ... >> Also, I have just added all of the following to my >> smtpd_recipient_restrictions: >> >> reject_rhsbl_reverse_client multi.surbl.org >> reject_rhsbl_reverse_client multi.uribl.com >> reject_rhsbl_reverse_client dbl.spamhaus.org >> reject_rhsbl_sender multi.surbl.org >> reject_rhsbl_sender multi.uribl.com >> reject_rhsbl_sender dbl.spamhaus.org >> reject_rhsbl_helo multi.surbl.org >> reject_rhsbl_helo multi.uribl.com >> reject_rhsbl_helo dbl.spamhaus.org >> >> For the time being, and mostly just to see how effective these filters >> are on their own, I have these listed in my smtpd_recipient_restrictions >> *prior to* several subsequent reject_rbl_client clauses. Oddly however, >> in spite of the ordering, it is appearing to me as if perhaps the above >> RHS filters are either not actually being applied or else are being applied >> _after_ the subsequent reject_rbl_client filters. Certainly, some spam >> that I believe should have been rejected on the basis of one or another >> of the above RHS filters I am instead seeing (in my maillog file) being >> rejected instead by one or another of the subsequent reject_rbl_client >> filters. What could I be doing wrong? > > Doing RBL client checks in postscreen?
That would be one cause. Another could be having duplicate reject_rbl_client statements in smtpd_client_restrictions. Ron, putting all of your restriction statements under smtpd_recipient_restrictions and removing the others, i.e. smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions is beneficial especially when troubleshooting things of this nature, where evaluation order matters. Since smtpd_delay_reject is enabled by default you can put all restrictions in smtpd_recipient_restrictions. http://www.postfix.org/postconf.5.html#smtpd_delay_reject In your current case, if you have a reject_rbl_client statement in smtpd_client_restrictions it will evaluate first, and first match wins. So the rejection occurs before evaluation reaches say reject_rhsbl_helo dbl.spamhaus.org in your smtpd_recipient_restrictions. This may not be what's happening in this case, but putting all restrictions under smtpd_recipient_restrictions is good practice regardless. It also makes complex whitelisting setups much easier, etc, etc. -- Stan
