Loading ...
Sorry, an error occurred while loading the content.

219466Re: Whitelisting Redux

Expand Messages
  • Dennis Putnam
    May 1, 2007
    • 0 Attachment
      On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
      >
      >
      > Then don't do that. :)

      :-)


      >
      > I'm not sure why you're removing permit_sasl_authenticated, but if
      > you don't need it, no harm done.

      I thought that was what you suggested I do.


      >
      > It appears your whitelist is not being consulted. Be sure to issue
      > a 'postfix reload' after editing main.cf.

      I do/did. Why would the white list not be consulted?

      >
      > Okay, looks good.

      Except it doesn't work. :-)

      >
      > Put permit_sasl_authenticated back before permit_mynetworks in
      > smtpd_recipient_restrictions, if you are using authentication for
      > submission via port 25.

      It seems to be working without it but I will. In any case this is not
      effecting the white list is it?

      >
      > This looks fine. Be sure to run 'postmap sender_whitelist' in /etc/
      > postfix, and check your log to be sure there are no associated errors.

      Done.

      >
      > I've duplicated your configuration (easy, since you've nearly
      > duplicated mine), and it works for me (my residential IP is in one
      > of the RBLs, and I can now send from my home computer using the
      > same format you're using). At this point, you'll need to check your
      > logs for clues, but I'll save you some searching:
      >
      > dap@... != dap1@...

      I missed that detail. I didn't think it used the FROM field since
      that is easily spoofed. The difference is whether the mail originated
      on a Linux box or Windows box. The bad news is that when I add that
      to my white list it still doesn't work.

      >
      > If you want to keep things simple, use this in sender_whitelist:
      >
      > bellsouth.net permit_auth_destination
      >
      > That's safe enough, but it means that anyone can bypass the RBL
      > check by forging the envelope sender address as being from
      > bellsouth.net. Not a big deal, here, but an example why I avoid
      > whitelists for lower maintenance solutions. If you're trying to
      > send mail to your server from a dynamic residential IP *without
      > authentication*, then this is as appropriate a solution as any other.

      I don't really want to open it to all but I might have to try that
      just to see if anything can get through. Will that also work if the
      hostname is home.bellsouth.net? Actually I need to get this working
      not just for this user but for others as well. I want to make sure it
      all works and I understand it before adding more users. These
      otherwise legitimate ISPs that refuse to take responsibility for spam
      originating on their networks drive me nuts. I have things pretty
      tight so we get very little spam leaking through but there are a few
      legitimate sources that don't.

      >
      > Note that you'll have to put your map *after*
      > reject_unauth_destination if you use the bellsouth.net address for
      > outgoing mail (in which case, you should really use their mail
      > server, instead).
      >

      Now I'm confused (as usual). If I send something to
      dap1@... it will be rejected? Outgoing mail cannot go to
      'bellsouth.net' as that does not resolve to an smtp server. I thought
      postfix looked up the MX record for that address instead.
    • Show all 17 messages in this topic