I need to allow a domain to bypass my RBL checks. I'm doing something wrong,
or I'm misunderstanding what I'm checking from my logs. I'd be grateful for an
assist to remedy.
This box is an old postfix install Postfix version 2.2.10. (I know, working on
migrating)
main.cf: (full postconf -n output follows below)
parent_domain_matches_subdomains = smtpd_access_maps
check_sender_access hash:/etc/postfix/sender_checks,
I need to let mail from outbound.protection.outlook.com, and bypass my RBL
checks. My old understanding is that the first OK "wins" (maybe not?), and I
have check sender before check RBL. I don't seem to be getting a match/OK on
it.
This is a sample log entry of what I'm trying to "OK" before it gets to my RBL
checks and thus fails:
Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]
Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554
Service unavailable; Client host [40.107.255.101] blocked using bl.spamcop.net;
Blocked - see https://www.spamcop.net/bl.shtml?40.107.255.101;
from= to=
proto=ESMTP helo=
Isn't the sender = connect from =
mail-psaapc01on2101.outbound.protection.outlook.com ?
In my sender_checks file I've tried:
outbound.protection.outlook.com OK
.outbound.protection.outlook.com OK # to match subdomains as an attempt to get
it to work.
Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or do
I need to only have ".outlook.com OK"
I tried testing my sender_checks file using:
postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
(does not match)
postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks
OK #(matches)
In any case, what I'm doing does not prevent the RBL test that's after the
sender check from being passed.
-
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = pcre:/etc/postfix/body_checks.pcre
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $host1, localhost
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 483886080
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $host1, localhost.$mydomain, localhost, s-e-inc.com,
$mydomain
mydomain = example.com
host1 = host1.example.com
mynetworks = localhost,$localdomain, [& other local IPs]
myorigin = $host1
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 3000
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
permit_mynetworks, reject_unauth_destination, check_recipient_mx_access
hash:/etc/postfix/mx_access, check_sender_mx_access
hash:/etc/postfix/mx_access, reject_unknown_sender_domain,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2..99], reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[2..99], reject_rbl_client psbl.surriel.com,
reject_rbl_client bl.spamcop.net, reject_rhsbl_sender
fresh.spameatingmonkey.net, reject_rhsbl_client fresh.spameatingmonkey.net,
reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client
uribl.spameatingmonkey.net, reject_rbl_client
sip-sip24.metbpp3hnheh.invaluement.com, check_policy_service
unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $host1
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =