219466Re: Whitelisting Redux
- May 1, 2007On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
> Then don't do that. :)
>I thought that was what you suggested I do.
> I'm not sure why you're removing permit_sasl_authenticated, but if
> you don't need it, no harm done.
>I do/did. Why would the white list not be consulted?
> It appears your whitelist is not being consulted. Be sure to issue
> a 'postfix reload' after editing main.cf.
>Except it doesn't work. :-)
> Okay, looks good.
>It seems to be working without it but I will. In any case this is not
> Put permit_sasl_authenticated back before permit_mynetworks in
> smtpd_recipient_restrictions, if you are using authentication for
> submission via port 25.
effecting the white list is it?
> This looks fine. Be sure to run 'postmap sender_whitelist' in /etc/
> postfix, and check your log to be sure there are no associated errors.
>I missed that detail. I didn't think it used the FROM field since
> I've duplicated your configuration (easy, since you've nearly
> duplicated mine), and it works for me (my residential IP is in one
> of the RBLs, and I can now send from my home computer using the
> same format you're using). At this point, you'll need to check your
> logs for clues, but I'll save you some searching:
> dap@... != dap1@...
that is easily spoofed. The difference is whether the mail originated
on a Linux box or Windows box. The bad news is that when I add that
to my white list it still doesn't work.
>I don't really want to open it to all but I might have to try that
> If you want to keep things simple, use this in sender_whitelist:
> bellsouth.net permit_auth_destination
> That's safe enough, but it means that anyone can bypass the RBL
> check by forging the envelope sender address as being from
> bellsouth.net. Not a big deal, here, but an example why I avoid
> whitelists for lower maintenance solutions. If you're trying to
> send mail to your server from a dynamic residential IP *without
> authentication*, then this is as appropriate a solution as any other.
just to see if anything can get through. Will that also work if the
hostname is home.bellsouth.net? Actually I need to get this working
not just for this user but for others as well. I want to make sure it
all works and I understand it before adding more users. These
otherwise legitimate ISPs that refuse to take responsibility for spam
originating on their networks drive me nuts. I have things pretty
tight so we get very little spam leaking through but there are a few
legitimate sources that don't.
>Now I'm confused (as usual). If I send something to
> Note that you'll have to put your map *after*
> reject_unauth_destination if you use the bellsouth.net address for
> outgoing mail (in which case, you should really use their mail
> server, instead).
dap1@... it will be rejected? Outgoing mail cannot go to
'bellsouth.net' as that does not resolve to an smtp server. I thought
postfix looked up the MX record for that address instead.
- << Previous post in topic Next post in topic >>