Re: default configuration blocks legitimate mail (0.1.14 beta-6)
> Yes this is what I ended up doing but I wish it had not been rejected in > the first place, always have to lose that first e-mail. :( If a person can't read RFC 2821 and can't read the documentation for the MTA they are running, yet still think they can run a mail server, you really shouldn't feel bad if the mail is rejected. The helo from that server directly violates RFC. You can't let every broken mail server to pass through your filters. What you do is the right thing (in my opinion), only whitelist if a complaint is raised against a blocked message. In my case the whitelist is a temporary 1 week list, and I send them links to the relevant documentation from Microsoft's website on how to configure their server. I personally have to wonder when I know more about an MTA I have never used than the people who are using it. -- Kenny Dail <[EMAIL PROTECTED]> Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: default configuration blocks legitimate mail (0.1.14 beta-6)
On Thu, Sep 13, 2007 at 05:56:07AM -0400, Justin Piszcz wrote: > > > On Thu, 13 Sep 2007, Francis Galiegue wrote: > > >Le jeudi 13 septembre 2007, Justin Piszcz a écrit : > >>Aug 20 18:23:36 l2 postfix/smtpd[11969]: NOQUEUE: reject: RCPT from > >>smtp2.netcabo.pt[212.113.174.29]: 550 5.7.1 <[EMAIL PROTECTED]>: Recipient > >>address rejected: Mail appeared to be SPAM or forged. Ask your > >>Mail/DNS-Administrator to correct HELO and DNS MX settings or to get > >>removed from DNSBLs; MTA helo: exch01smtp09.hdi.tvcabo, MTA hostname: > >>smtp2.netcabo.pt[212.113.174.29] (helo/hostname mismatch); > >>from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP > >>helo= > >> > >># VERSION: 0.1.14 beta-6 > >> > >>We see here that the ISP is tvcabo in Portugal but that they are going > >>through an exchange server and it passed all of my postfix checks no > >>errors, but it died here. > >> > >>Can we make either an exception for exch* (exhcange hosts) or somehow be > >>more careful with this type of mail? > >> > >>I am not sure of the best approach but just reporting this and asking > >>for suggestions. > >> > >>Thanks! > >> > > > >This should be done at the Postfix level. A good way of doing this is to add > >in smtpd_recipient_restrictions the following: > > > >smtpd_recipient_restrictions = , > > check_client_access hash:/etc/postfix/client_exceptions, > > > > > >Be sure to add the check_client_access BEFORE policyd. > > > >In /etc/postfix/client_exceptions, put: > > > >the.ip.address OK > ># You can put a hostname instead of an IP address if you wish > > > >and compile the map with: > > > >postmap /etc/postfix/client_exceptions > > > >Once it's done, reload postfix (a restart is NOT needed). > > > > Yes this is what I ended up doing but I wish it had not been rejected in the > first place, always have to lose > that first e-mail. :( you could set up a pcre map smtpd_recipient_restrictions = ... reject_unauth_destinaion ... check_client_access pcre:/etc/postfix/exchange_exceptions.pcre check_policy_service ... /etc/postfix/exchange_exceptions.pcre /[^.]*(exch|smtp).*\..*\../ OK This won't help with postfix' "unknown" clients, though (I think). Also, you want to make exceptions based on a _failing_ HELO, so you would have to do a smtpd_recipient_restrictions = ... reject_unauth_destinaion ... check_helo_access pcre:/etc/postfix/exchange_exceptions.pcre check_policy_service ... with the file like above in order to allow broken exchanges, or clients which act like broken exchanges. This would mean, anyone who says "HELO exchange.blah.nonresolving" will not be handed to policyd-weight -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: default configuration blocks legitimate mail (0.1.14 beta-6)
On Thu, 13 Sep 2007, Francis Galiegue wrote: Le jeudi 13 septembre 2007, Justin Piszcz a écrit : Aug 20 18:23:36 l2 postfix/smtpd[11969]: NOQUEUE: reject: RCPT from smtp2.netcabo.pt[212.113.174.29]: 550 5.7.1 <[EMAIL PROTECTED]>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: exch01smtp09.hdi.tvcabo, MTA hostname: smtp2.netcabo.pt[212.113.174.29] (helo/hostname mismatch); from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo= # VERSION: 0.1.14 beta-6 We see here that the ISP is tvcabo in Portugal but that they are going through an exchange server and it passed all of my postfix checks no errors, but it died here. Can we make either an exception for exch* (exhcange hosts) or somehow be more careful with this type of mail? I am not sure of the best approach but just reporting this and asking for suggestions. Thanks! This should be done at the Postfix level. A good way of doing this is to add in smtpd_recipient_restrictions the following: smtpd_recipient_restrictions = , check_client_access hash:/etc/postfix/client_exceptions, Be sure to add the check_client_access BEFORE policyd. In /etc/postfix/client_exceptions, put: the.ip.address OK # You can put a hostname instead of an IP address if you wish and compile the map with: postmap /etc/postfix/client_exceptions Once it's done, reload postfix (a restart is NOT needed). Hope it helps, -- Francis Galiegue, [EMAIL PROTECTED] [ATTENTION - CHANGEMENT D'ADRESSE !] 40 av Raymond Poincaré, 75016 PARIS +33178945570, +33683877875 Policyd-weight Mailinglist - http://www.policyd-weight.org/ Yes this is what I ended up doing but I wish it had not been rejected in the first place, always have to lose that first e-mail. :( Justin.
Re: default configuration blocks legitimate mail (0.1.14 beta-6)
Le jeudi 13 septembre 2007, Justin Piszcz a écrit : > Aug 20 18:23:36 l2 postfix/smtpd[11969]: NOQUEUE: reject: RCPT from > smtp2.netcabo.pt[212.113.174.29]: 550 5.7.1 <[EMAIL PROTECTED]>: Recipient > address rejected: Mail appeared to be SPAM or forged. Ask your > Mail/DNS-Administrator to correct HELO and DNS MX settings or to get > removed from DNSBLs; MTA helo: exch01smtp09.hdi.tvcabo, MTA hostname: > smtp2.netcabo.pt[212.113.174.29] (helo/hostname mismatch); > from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP > helo= > > # VERSION: 0.1.14 beta-6 > > We see here that the ISP is tvcabo in Portugal but that they are going > through an exchange server and it passed all of my postfix checks no > errors, but it died here. > > Can we make either an exception for exch* (exhcange hosts) or somehow be > more careful with this type of mail? > > I am not sure of the best approach but just reporting this and asking > for suggestions. > > Thanks! > This should be done at the Postfix level. A good way of doing this is to add in smtpd_recipient_restrictions the following: smtpd_recipient_restrictions = , check_client_access hash:/etc/postfix/client_exceptions, Be sure to add the check_client_access BEFORE policyd. In /etc/postfix/client_exceptions, put: the.ip.address OK # You can put a hostname instead of an IP address if you wish and compile the map with: postmap /etc/postfix/client_exceptions Once it's done, reload postfix (a restart is NOT needed). Hope it helps, -- Francis Galiegue, [EMAIL PROTECTED] [ATTENTION - CHANGEMENT D'ADRESSE !] 40 av Raymond Poincaré, 75016 PARIS +33178945570, +33683877875 Policyd-weight Mailinglist - http://www.policyd-weight.org/
Re: default configuration blocks legitimate mail (0.1.14 beta-6)
On Thu, Sep 13, 2007 at 04:54:26AM -0400, Justin Piszcz wrote: > Aug 20 18:23:36 l2 postfix/smtpd[11969]: NOQUEUE: reject: RCPT from > smtp2.netcabo.pt[212.113.174.29]: 550 5.7.1 > <[EMAIL PROTECTED]>: Recipient address rejected: Mail appeared to be SPAM or > forged. Ask your Mail/DNS-Administrator to correct > HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: > exch01smtp09.hdi.tvcabo, MTA hostname: > smtp2.netcabo.pt[212.113.174.29] (helo/hostname mismatch); from=<[EMAIL > PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP > helo= > > # VERSION: 0.1.14 beta-6 > > We see here that the ISP is tvcabo in Portugal but that they are going > through an exchange server and it passed all of my postfix checks no > errors, but it died here. > > Can we make either an exception for exch* (exhcange hosts) or somehow be > more careful with this type of mail? > > I am not sure of the best approach but just reporting this and asking > for suggestions. Two options: 1: increase REJECTLEVEL (with the default it has a score of 1.5, so you'd have to increase it to at least 1.51, which allows spammers/virus without RBL listings to come through) or 2: whitelist the client (domain) cia postfix' check_client_access or 3: obviously not possible: the remote mta sets smtp2.netcabo.pt as helo. I don't see any other way, not even SPF lookups would lead to some improvement. -- Robert Felber (PGP: 896CF30B) Munich, Germany Policyd-weight Mailinglist - http://www.policyd-weight.org/
