Re: short circuit content_filters

Mon, 28 Nov 2016 20:57:12 -0800 

Don't forget to put your shortcircuit.cf in smtpd_{helo, sender,
recipient, data}_restrictions.

Or even better, to prevent any unintentional open relay have your
shortcircuit.cf return "permit_auth_destination" rather than simply OK.


  -- Noel Jones


On 11/28/2016 9:22 PM, Michael Munger wrote:
> Good timing. I was just trying to figure out why a domain on the
> whitelist was still caught by an rbl when you sent this. Thank you.
> 
> To fix the issue, I have added an additional check_sender_access
> 
> smtpd_client_restrictions = check_sender_access
> mysql:/etc/postfix/whitelist.cf,
>                         check_sender_access
> mysql:/etc/postfix/shortcircuit.cf,
>                         reject_rbl_client dnsbl.sorbs.net,
>                         reject_rbl_client b.barracudacentral.org,
>                         reject_rbl_client cbl.abuseat.org,
>                         reject_rbl_client bl.spamcop.net,
>                         reject_rbl_client zen.spamhaus.org,
>                         reject_rbl_client dnsbl-1.uceprotect.net,
>                         reject_rbl_client dnsrbl.org,
>                         reject_rbl_client bad.psky.me,
>                         check_sender_access
> mysql:/etc/postfix/blacklist.cf
> 
> Contents of shortcircuit.cf:
> 
> user = postfix
> password = foopass
> dbname = postfix
> query = SELECT 'OK' AS whitelist_action FROM whitelist WHERE
> whitelist_domain = '%s'
> hosts = 127.0.0.1
> 
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com
> On 11/28/2016 10:12 PM, Noel Jones wrote:
>> On 11/28/2016 8:14 PM, Michael Munger wrote:
>>
>> ...
>>> we simply changed the action
>>> from "OK" to  "FILTER relay:192.168.10.81". This means that inbound
>>> mail, once it is discovered to be on a whitelist, is immediately
>>> relayed to our Exchange server.
>> No, the mail is not immediately relayed. It goes through the rest of
>> the configured restrictions, is queued, and is then relayed to the
>> next-hop specified by your FILTER statement. Of particular interest
>> is that FILTER -- similar to DUNNO -- does not skip further checking
>> such as rbl lookups or hostname restrictions.
>>
>> To both set the next-hop AND skip further postfix restriction
>> processing, you need two check_sender_access tables; the first to
>> return FILTER and the second to return OK to skip further checks.
>>
>>
>>
>>   -- Noel Jones
>

Reply via email to