Loading ...
Sorry, an error occurred while loading the content.

219451Re: Whitelisting Redux

Expand Messages
  • Jorey Bump
    May 1 5:44 AM
    • 0 Attachment
      Dennis Putnam wrote:
      >
      > On Apr 30, 2007, at 2:15 PM, Jorey Bump wrote:
      >>
      >> I prefer to put my RBLs at the end of smtpd_recipient_restrictions and
      >> exempt anything I need before it (also in
      >> smtpd_recipient_restrictions). I don't change the other
      >> smtpd_*_restrictions from their defaults, but if I did, I'd try to use
      >> them only for obvious rejections. This is a matter of taste. I
      >> typically use this configuration:
      >>
      >> smtpd_recipient_restrictions =
      >> reject_non_fqdn_sender
      >> reject_unlisted_sender
      >> reject_unknown_sender_domain
      >> reject_unknown_recipient_domain
      >> reject_unlisted_recipient
      >> permit_mynetworks
      >> permit_sasl_authenticated
      >> reject_unauth_destination
      >> check_helo_access pcre:/etc/postfix/helo
      >> check_sender_access hash:/etc/postfix/sender
      >> reject_rbl_client rbl1.example.org
      >> reject_rbl_client rbl2.example.net
      >>
      >
      > I took your advice and modified (best I could as it appears you are
      > using v 2.3, I think mine is 2.1) my main.cf to match. Unfortunately the
      > 'check_sender_access' is still not working.

      You are still using smtpd_client_restrictions, though. Note that my
      example uses smtpd_recipient_restrictions. All you should need to do now
      is change this to smtpd_recipient_restrictions:

      > smtpd_client_restrictions = reject_non_fqdn_sender
      > reject_unknown_sender_domain check_sender_access
      > hash:/etc/postfix/sender_whitelist permit_mynetworks
      > permit_sasl_authenticated reject_unauth_destination
      > reject_rbl_client bl.spamcop.net reject_rbl_client
      > dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org
      > reject_rbl_client dnsbl.njabl.org check_client_access
      > hash:/etc/postfix/smtpdreject

      And simply delete or comment out this line:

      > smtpd_recipient_restrictions =
      > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

      You might still have a bit of tweaking to do, but this should give you a
      working configuration. Be especially careful with what you put in your
      whitelist. Rejections are easy to manage, but whitelisting can allow
      unauthorized relaying if done improperly.
    • Show all 17 messages in this topic