Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread Viktor Dukhovni 

> On Mar 10, 2017, at 12:03 AM, /dev/rob0  wrote:
> 
> Sure, you can do what you want, and in theory it sounds prudent to 
> exempt postmaster & abuse from spam controls, but in practice, it 
> turns out only to be a way to get yourself a lot more spam.
> 
> I don't have enough rejections to be able to gauge what others are 
> doing at their sites.

At a small enough domain, one can take the view that a RBL listing
in SpamHaus is the sender's problem to resolve, since they'll have
issues sending email to half the planet.  Therefore, if you're only
blocking the same things that everyone else does, you don't need
a whitelist.  If you're maintaining manual filters beyond what's
common, a whitelist for postmaster may be prudent for such filters.

-- 
Viktor.

Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread /dev/rob0 
On Thu, Mar 09, 2017 at 04:12:32PM -0800, MRob wrote:
> On 2017-03-09 14:35, /dev/rob0 wrote:
> >On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
> >>Are there any admins with opinions where in the order is best
> >>for postmaster/abuse whitelisting?
> >
> >My opinion is "don't do it."  I use smtpd_reject_footer to
> >point to my web page for frustrated human senders.  If they're
> >not smart enough to read the fine error message they got,
> >they're going to struggle with fixing the problem, also.
> >
> >One thing my page suggests is that they can contact me through
> >any typical freemail services, such as gmail, Yahoo, and GMX.
> >Which is true: my postscreen and smtpd restrictions do not
> >block them.
> 
> OK, that's a great idea. Thank you for the tip. Is this quite 
> common?

I can't speak to what is common, nor do I think anyone truly can.
But I can tell you my story.

I tried that, once, bypassing restrictions for my postmaster@ and 
abuse@ addresses.  Of all the addresses I have, my postmaster@ 
addresses are the most heavily spammed.

My site is small but it cannot be exclusive, because it's a free 
software project with worldwide users and contributors.  I've only 
seen a handful of actual, legitimate messages to postmaster.  (And 
then a few non-spam that should not have been sent to postmaster, 
also.)

Sure, you can do what you want, and in theory it sounds prudent to 
exempt postmaster & abuse from spam controls, but in practice, it 
turns out only to be a way to get yourself a lot more spam.

I don't have enough rejections to be able to gauge what others are 
doing at their sites.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread MRob 

On 2017-03-09 14:35, /dev/rob0 wrote:

On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:

Are there any admins with opinions where in the order is best
for postmaster/abuse whitelisting?


My opinion is "don't do it."  I use smtpd_reject_footer to point to
my web page for frustrated human senders.  If they're not smart
enough to read the fine error message they got, they're going to
struggle with fixing the problem, also.

One thing my page suggests is that they can contact me through any
typical freemail services, such as gmail, Yahoo, and GMX.  Which is
true: my postscreen and smtpd restrictions do not block them.


OK, that's a great idea. Thank you for the tip. Is this quite common?

Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread /dev/rob0 
On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
> Are there any admins with opinions where in the order is best
> for postmaster/abuse whitelisting?

My opinion is "don't do it."  I use smtpd_reject_footer to point to 
my web page for frustrated human senders.  If they're not smart 
enough to read the fine error message they got, they're going to 
struggle with fixing the problem, also.

One thing my page suggests is that they can contact me through any 
typical freemail services, such as gmail, Yahoo, and GMX.  Which is 
true: my postscreen and smtpd restrictions do not block them.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread MRob 

On 2017-03-08 15:23, Noel Jones wrote:

On 3/8/2017 2:53 PM, MRob wrote:

Hello all,

Is there a best practices for exempting the postmaster/abuse address
from certain smtpd_mumble_restrictions?




The procedure to whitelist a recipient is to use a
check_recipient_access map prior to whatever rule might reject the
mail.  If you have restrictions in each of the smtpd_*_restrictions
sections, then you must add your whitelist in each section.
Exactly how you order your restrictions and where you put the
whitelist may vary depending on your needs.

Simple example assuming all your restrictions are in
smtpd_recipient_restrictions:

# /etc/postfix/whitelist_recipients
postmas...@example.com  OK

# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_recipient_access hash:/etc/postfix/whitelist_recipients
  reject_unknown_...
  reject_rbl_client ...
  ... more restrictions ...


Note: make sure your whitelist comes AFTER reject_unauth_destination
to prevent open-relay accidents.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger


Thanks, Noel. Are there any admins with opinions where in the order is 
best for postmaster/abuse whitelisting?

Re: Bypass restrictions for postmaster/abuse

2017-03-09 Thread Ansgar Wiechers 
On 2017-03-08 Noel Jones wrote:
> On 3/8/2017 2:53 PM, MRob wrote:
>> Is there a best practices for exempting the postmaster/abuse address
>> from certain smtpd_mumble_restrictions?
> 
> The procedure to whitelist a recipient is to use a
> check_recipient_access map prior to whatever rule might reject the
> mail.  If you have restrictions in each of the smtpd_*_restrictions
> sections, then you must add your whitelist in each section.
> Exactly how you order your restrictions and where you put the
> whitelist may vary depending on your needs.
> 
> Simple example assuming all your restrictions are in
> smtpd_recipient_restrictions:
> 
> # /etc/postfix/whitelist_recipients
> postmas...@example.com  OK
> 
> # main.cf
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   reject_unauth_destination
>   check_recipient_access hash:/etc/postfix/whitelist_recipients
>   reject_unknown_...
>   reject_rbl_client ...
>   ... more restrictions ...
> 
> Note: make sure your whitelist comes AFTER reject_unauth_destination
> to prevent open-relay accidents.
> http://www.postfix.org/SMTPD_ACCESS_README.html#danger

This is probably just personal preference, but in addition to
whitelisting postmaster recipients I put a client blacklist before the
whitelist where I block all clients who deemed sending spam to a
postmaster address a good idea.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Bypass restrictions for postmaster/abuse

2017-03-08 Thread Noel Jones 
On 3/8/2017 2:53 PM, MRob wrote:
> Hello all,
> 
> Is there a best practices for exempting the postmaster/abuse address
> from certain smtpd_mumble_restrictions?
> 


The procedure to whitelist a recipient is to use a
check_recipient_access map prior to whatever rule might reject the
mail.  If you have restrictions in each of the smtpd_*_restrictions
sections, then you must add your whitelist in each section.
Exactly how you order your restrictions and where you put the
whitelist may vary depending on your needs.

Simple example assuming all your restrictions are in
smtpd_recipient_restrictions:

# /etc/postfix/whitelist_recipients
postmas...@example.com  OK

# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  reject_unauth_destination
  check_recipient_access hash:/etc/postfix/whitelist_recipients
  reject_unknown_...
  reject_rbl_client ...
  ... more restrictions ...


Note: make sure your whitelist comes AFTER reject_unauth_destination
to prevent open-relay accidents.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger



  -- Noel Jones