Loading ...
Sorry, an error occurred while loading the content.

219448Re: Whitelisting Redux

Expand Messages
  • Dennis Putnam
    May 1, 2007
      On Apr 30, 2007, at 2:15 PM, Jorey Bump wrote:

      > Dennis Putnam wrote:
      > You'll need a good backup or version control system for insurance
      > against future mishaps.

      I thought I did but it is only as good as the people that follow the

      > I prefer to put my RBLs at the end of smtpd_recipient_restrictions
      > and exempt anything I need before it (also in
      > smtpd_recipient_restrictions). I don't change the other
      > smtpd_*_restrictions from their defaults, but if I did, I'd try to
      > use them only for obvious rejections. This is a matter of taste. I
      > typically use this configuration:
      > smtpd_recipient_restrictions =
      > reject_non_fqdn_sender
      > reject_unlisted_sender
      > reject_unknown_sender_domain
      > reject_unknown_recipient_domain
      > reject_unlisted_recipient
      > permit_mynetworks
      > permit_sasl_authenticated
      > reject_unauth_destination
      > check_helo_access pcre:/etc/postfix/helo
      > check_sender_access hash:/etc/postfix/sender
      > reject_rbl_client rbl1.example.org
      > reject_rbl_client rbl2.example.net
      > The check_*_access files are custom, and currently contain only
      > rejections. You may need to put yours before the permit_*
      > statements, if you truly need a whitelist. If your problem user is
      > actually an authenticated user that is being blocked by an RBL, you
      > no longer need a whitelist with the above configuration, as this is
      > handled by placing permit_sasl_authenticated before the RBLs.

      I took your advice and modified (best I could as it appears you are
      using v 2.3, I think mine is 2.1) my main.cf to match. Unfortunately
      the 'check_sender_access' is still not working. My problem user is
      not an authenticated one, it is just one that happens to have an ISP
      that is too arrogant to accept and act on spam reports. Perhaps the
      problem is versioning. Here is a new 'postconf -n' and thanks again
      for your help.

      alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      content_filter = smtp-amavis:[]:10024
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      enable_server_options = yes
      html_directory = no
      inet_interfaces = all
      mail_owner = postfix
      mailbox_size_limit = 0
      mailbox_transport = cyrus
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      message_size_limit = 26214400
      mydestination = $myhostname,localhost.
      mydomain = aimaudit.com
      mydomain_fallback = localhost
      myhostname = xserveoda.aimaudit.com
      mynetworks =,,,,192.168.0
      mynetworks_style = host
      newaliases_path = /usr/bin/newaliases
      owner_request_special = no
      queue_directory = /private/var/spool/postfix
      readme_directory = /usr/share/doc/postfix
      recipient_delimiter = +
      sample_directory = /usr/share/doc/postfix/examples
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtpd_client_restrictions = reject_non_fqdn_sender
      reject_unknown_sender_domain check_sender_access hash:/etc/postfix/
      sender_whitelist permit_mynetworks
      permit_sasl_authenticated reject_unauth_destination
      reject_rbl_client bl.spamcop.net reject_rbl_client
      dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org
      reject_rbl_client dnsbl.njabl.org check_client_access hash:/etc/
      smtpd_helo_required = yes
      smtpd_helo_restrictions = reject_unknown_client
      smtpd_pw_server_security_options = gssapi,login
      smtpd_recipient_restrictions =
      smtpd_sasl_auth_enable = yes
      smtpd_tls_key_file =
      smtpd_use_pw_server = yes
      unknown_local_recipient_reject_code = 550

      > Also note: This configuration assumes that smtpd_delay_reject =
      > yes, which is normally the Postfix default (I don't know what the
      > case is with OS X).

      It is the same. Thanks.
    • Show all 17 messages in this topic