[pfx] postfix check_sender_access and subdomain test

2024-02-28 Thread lists--- via Postfix-users 
I can tell you there is significant spam from that Microsoft IP space. That 
spamcop doesn't have false positives, but rather due to the sharing of IP 
space, senders that aren't spammers get tarred with the same brush as the 
spammers.  I did a grep on the maillog files and that is a firehose of spam.

Up to you of course. I have a few posts on the list trying to whitelist just 
one sender.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
I need to allow a domain to bypass my RBL checks.  I'm doing something wrong, 
or I'm misunderstanding what I'm checking from my logs.  I'd be grateful for an 
assist to remedy.

 

This box is an old postfix install Postfix version 2.2.10. (I know, working on 
migrating)

 

main.cf: (full postconf -n output follows below)

 

parent_domain_matches_subdomains = smtpd_access_maps 

check_sender_access hash:/etc/postfix/sender_checks,

 

I need to let mail from outbound.protection.outlook.com, and bypass my RBL 
checks. My old understanding is that the first OK "wins" (maybe not?), and I 
have check sender before check RBL.  I don't seem to be getting a match/OK on 
it.

 

This is a sample log entry of what I'm trying to "OK" before it gets to my RBL 
checks and thus fails:

 

  Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]

 

Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554 
Service unavailable; Client host [40.107.255.101] blocked using bl.spamcop.net; 
Blocked - see https://www.spamcop.net/bl.shtml?40.107.255.101; 
from= to= 
proto=ESMTP helo=

 

Isn't the sender = connect from = 
mail-psaapc01on2101.outbound.protection.outlook.com ?

 

In my sender_checks file I've tried:

 

outbound.protection.outlook.com OK

.outbound.protection.outlook.com OK # to match subdomains as an attempt to get 
it to work.

 

Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or do 
I need to only have ".outlook.com OK"

 

I tried testing my sender_checks file using:

 

postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks

(does not match)

 

postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks

OK #(matches)

 

In any case, what I'm doing does not prevent the RBL test that's after the 
sender check from being passed.

 

-

postconf -n:

 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

body_checks = pcre:/etc/postfix/body_checks.pcre

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

html_directory = no

inet_interfaces = $host1, localhost

local_recipient_maps = hash:/etc/postfix/local_recipient

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailbox_size_limit = 483886080

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

message_size_limit = 20971520

mydestination = $host1,  localhost.$mydomain,  localhost,  s-e-inc.com, 
$mydomain

mydomain = example.com

host1 = host1.example.com

mynetworks = localhost,$localdomain, [& other local IPs]

myorigin = $host1

newaliases_path = /usr/bin/newaliases.postfix

parent_domain_matches_subdomains = smtpd_access_maps

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

relay_domains = mlec.com

relay_recipient_maps = hash:/etc/postfix/relay_recipients

sample_directory = /usr/share/doc/postfix-2.2.10/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_data_restrictions = reject_unauth_pipelining,  permit

smtpd_helo_required = yes

smtpd_recipient_limit = 3000

smtpd_recipient_restrictions = reject_invalid_hostname,  
reject_non_fqdn_hostname,  reject_non_fqdn_sender,  reject_non_fqdn_recipient,  
permit_mynetworks,  reject_unauth_destination,  check_recipient_mx_access 
hash:/etc/postfix/mx_access,  check_sender_mx_access 
hash:/etc/postfix/mx_access,  reject_unknown_sender_domain,  
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,  
check_helo_access hash:/etc/postfix/helo_checks,  check_sender_access 
hash:/etc/postfix/sender_checks,  check_client_access 
hash:/etc/postfix/client_checks,  check_client_access 
pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
hash:/etc/postfix/access,  reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], 
 reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_sender 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_helo 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rbl_client psbl.surriel.com,  
reject_rbl_client bl.spamcop.net,  reject_rhsbl_sender 
fresh.spameatingmonkey.net,  reject_rhsbl_client fresh.spameatingmonkey.net,  
reject_rhsbl_sender uribl.spameatingmonkey.net,  reject_rhsbl_client 
uribl.spameatingmonkey.net,  reject_rbl_client 
sip-sip24.metbpp3hnheh.invaluement.com,  check_policy_service 
unix:postgrey/socket, permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $host1

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file =