Roland Vogt wrote: >I'm using Cluebringer with Postfix and I have some troubles. When I >try to send a mail from Thunderbird, I get this error : "Sender >address rejected, try again later".
>Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: 127.0.0.1:10031: >wanted attribute: action >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: input attribute >name: action >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: input attribute >value: DUNNO >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: 127.0.0.1:10031: >wanted attribute: (list terminator) >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: input attribute >name: (end) >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: >check_table_result: inet:127.0.0.1:10031 DUNNO policy query OK, so this bit says the policy server said "DUNNO", so Postfix then moves on to the next check : >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: generic_checks: >name=check_policy_service status=0 >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: generic_checks: name=defer And the next check said defer, so that's what Postfix said to the client : >Aug 30 09:18:34 testing-puppet postfix/smtpd[7331]: NOQUEUE: reject: >RCPT from unknown[192.168.170.85]: 450 4.3.2 <[email protected]>: >Sender address rejected: Try again later; from=<[email protected]> >to=<[email protected]> proto=ESMTP helo=<[192.168.170.85]> >[main.cf] > ... >smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:10031 defer >#smtpd_recipient_restrictions = check_policy_service >inet:192.186.254.242:10031 defer >#smtpd_end_of_data_restrictions = check_policy_service >inet:192.168.254.242:10031 defer Both these checks say that if a previous check doesn't explicitly say yes, then defer the mail. Cluebringer only says "no" (reject or defer), or "dunno" which means "it passes my checks, see what else you've got". If it said "yes" then it would make it far less flexible as it would mean you couldn't have any other useful checks after the call to Cluebringer. I'd strongly recommend you put a bit more in your sender and client checks. There are a few simple things you can add that will help a lot with spam. FYI, here's an extract from my main.cf. I'll leave you to look up what each check is doing (http://www.postfix.org/postconf.5.html) - one's that help enormously with spam are : reject_non_fqdn_hostname, reject_invalid_hostname, smtpd_helo_required = yes These require the client to send a "HELO" or "EHLO" command, and reject clients that don't supply a valid FQDN - but don't be tempted to try doing a DNS lookup (reject_unknown_helo_hostname) on it to verify as that creates no end of false positives. reject_unauth_pipelining, Then many spammers ignore some protocol niceties and just spew data at use, so we reject them. check_helo_access hash:/etc/postfix/helo_access, This one lets us have a black/whitelist of things that can be in the HELO field, and contains things like : <our FQDN> 500 Error validating hostname, connection rejected. <our IP address> 500 Error validating hostname, connection rejected. As I've found a lot of spammers will just use our hostname or address in their HELO command. Then notice that all of the restrictions sections end with "permit". Pretty well all the checks are negative only - ie they can say no, but don't say yes (only "dunno"). I think permit is inferred, but I'm one for explicit outcomes. So, each check has a chance to say no - in which case the mail is rejected; otherwise it says dunno and Postfix falls through to the next step. # Requirements for the HELO statement smtpd_helo_restrictions = check_client_access cidr:/etc/postfix/host_access, permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit # Requirements for the sender details smtpd_sender_restrictions = check_client_access cidr:/etc/postfix/host_access, permit_mynetworks, hash:/etc/postfix/access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit ## Requirements for the connecting server smtpd_client_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/blacklist, permit # Requirement for the recipient address smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, check_client_access cidr:/etc/postfix/host_access, check_policy_service inet:<some IP>:10031, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, permit smtpd_end_of_data_restrictions = check_policy_service inet: <some IP>:10031, permit ## require proper helo at connections smtpd_helo_required = yes ## waste spammers time before rejecting them smtpd_delay_reject = yes disable_vrfy_command = yes -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users
