Loading ...
Sorry, an error occurred while loading the content.

Whitelisting Redux

Expand Messages
  • Dennis Putnam
    I am afraid something happened to my main.cf file as my whitelisting has stopped working. I must have inadvertently deleted something in the file but I cannot
    Message 1 of 4 , Apr 30 4:16 AM
    • 0 Attachment
      I am afraid something happened to my main.cf file as my whitelisting has stopped working. I must have inadvertently deleted something in the file but I cannot see what. I am using blacklisting services and one ISP, that has one legitimate emailer on it, is repeatedly getting itself blacklisted. I am trying to whilelist that one address and it was working fine until ... I believe the hash of my whitelist is supposed to go in the smtpd_client_restrictions section: Here is the relevant part of my main.cf. Can someone see what I am doing wrong? Thanks.

      smtpd_client_restrictions =
              hash:/etc/postfix/sender_whitelist
              reject_rbl_client bl.spamcop.net
              reject_rbl_client dnsbl.sorbs.net
              reject_rbl_client cbl.abuseat.org
              reject_rbl_client dnsbl.njabl.org
              check_client_access hash:/etc/postfix/smtpdreject
              permit_mynetworks
              permit

      In case it matters here is my sender_whitelist file:

      # This is a list of senders that will be accepted even if the server has
      # been blacklisted.
      #
      # REMEMBER to run 'make' after changes
      #
      dap1@... permit_auth_destination
      @... permit_auth_destination



    • Magnus Bäck
      ... This is equivalent to: smtpd_client_restrictions = check_client_access hash:/etc/postfix/sender_whitelist Make sure you use check_sender_access instead if
      Message 2 of 4 , Apr 30 5:11 AM
      • 0 Attachment
        On Mon, April 30, 2007 1:16 pm, Dennis Putnam said:

        > I am afraid something happened to my main.cf file as my whitelisting
        > has stopped working. I must have inadvertently deleted something in
        > the file but I cannot see what. I am using blacklisting services and
        > one ISP, that has one legitimate emailer on it, is repeatedly getting
        > itself blacklisted. I am trying to whilelist that one address and it
        > was working fine until ... I believe the hash of my whitelist is
        > supposed to go in the smtpd_client_restrictions section: Here is the
        > relevant part of my main.cf. Can someone see what I am doing wrong?
        > Thanks.
        >
        > smtpd_client_restrictions =
        > hash:/etc/postfix/sender_whitelist

        This is equivalent to:

        smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/sender_whitelist

        Make sure you use check_sender_access instead if you want the
        sender_whitelist map to act on the sender address.

        > reject_rbl_client bl.spamcop.net
        > reject_rbl_client dnsbl.sorbs.net
        > reject_rbl_client cbl.abuseat.org
        > reject_rbl_client dnsbl.njabl.org
        > check_client_access hash:/etc/postfix/smtpdreject
        > permit_mynetworks
        > permit

        The two last lines serve no purpose.

        > In case it matters here is my sender_whitelist file:
        >
        > # This is a list of senders that will be accepted even if the server has
        > # been blacklisted.
        > #
        > # REMEMBER to run 'make' after changes
        > #
        > dap1@... permit_auth_destination
        > @... permit_auth_destination

        The last line won't work, because @domain isn't the expected syntax for
        domain wildcards. See access(5).

        --
        Magnus Bäck
        magnus@...
      • Benny Pedersen
        ... check_sender_access hash:/etc/postfix/sender_whitelist -- This message was sent using 100% recycled spam mails.
        Message 3 of 4 , Apr 30 7:59 AM
        • 0 Attachment
          On Mon, April 30, 2007 13:16, Dennis Putnam wrote:

          > smtpd_client_restrictions =
          > hash:/etc/postfix/sender_whitelist

          check_sender_access hash:/etc/postfix/sender_whitelist

          --
          This message was sent using 100% recycled spam mails.
        • Dennis Putnam
          ... Well, DOH! That s 2. ... I understand and see the problem. I suspected that but was hoping I was wrong. Thanks. ... Thanks. I read this before but I guess
          Message 4 of 4 , May 1, 2007
          • 0 Attachment
            On May 1, 2007, at 11:10 AM, Jorey Bump wrote:


            No, I meant for you to change the "smtpd_client_restrictions" entry that you provided to "smtpd_recipient_restrictions" and remove the redundant smtpd_recipient_restrictions from your configuration.


            It was. The address was wrong.

            Well, DOH! That's 2.


            No.

            To be clear, it's using the address provided during MAIL FROM (not the From: header), and you're right, that's easily spoofed. But if you want to use check_sender_access, that's what we're talking about, the envelope sender.

            I understand and see the problem. I suspected that but was hoping I was wrong. Thanks.


            Refer to Email Address Patterns in:

             man 5 access

            or:


            Thanks. I read this before but I guess I was refusing to believe there is no wildcard in the pattern matching. It appears I just can't do some of the things I wanted but there are other ways.


            Well, I sympathize, but this may be a user issue. They need to complain to the ISP or switch. Kudos for trying to solve their problem, but you may be taking on a maintenance headache. Of course, you could move your RBLs to a scoring system via a policy server or SpamAssassin if they are causing you too many problems. Using RBLs isn't required, so I guess you do bear some of the responsibility here.

            In case you haven't figured it out the user is me. Complaining to the ISP is a waste, they won't even stop themselves from being blacklisted. Besides anyone that complains is just a stupid user that knows nothing about systems. Switching is not really a cost effective option at this time. As for a maintenance headache, what is one more? :-) There are only a few users in this category so once I have it working it won't be a big deal. I just need to make sure this doesn't happen again. My Mandriva system has a cron script that reports critical files that have changed. Maybe I'll clone that script and use it here since main.cf can get changed so easily and sometimes it takes a while to notice the effects.


            I meant you must do this if you plan to use the bellsouth.net address as your sender address for outgoing mail. Outgoing mail *to* bellsouth.net is not affected by this configuration.


            Ah, I see. That is not an issue.

            After all the gyrations it looks like you got me to where I need to be. I still have no idea what was changed that made it stop working in the first place. Plus I also don't know how it could have ever worked based on what you taught me. Thanks again for saving the day for me. I owe you and adult beverage of your choice.


          Your message has been successfully submitted and would be delivered to recipients shortly.