Loading ...
Sorry, an error occurred while loading the content.

Re: Whitelisting Redux

Expand Messages
  • Jorey Bump
    ... No, I meant for you to change the smtpd_client_restrictions entry that you provided to smtpd_recipient_restrictions and remove the redundant
    Message 1 of 17 , May 1, 2007
    • 0 Attachment
      Dennis Putnam wrote:
      >
      > On May 1, 2007, at 10:06 AM, Jorey Bump wrote:
      >>
      >> I'm not sure why you're removing permit_sasl_authenticated, but if you
      >> don't need it, no harm done.
      >
      > I thought that was what you suggested I do.

      No, I meant for you to change the "smtpd_client_restrictions" entry that
      you provided to "smtpd_recipient_restrictions" and remove the redundant
      smtpd_recipient_restrictions from your configuration.

      >> It appears your whitelist is not being consulted. Be sure to issue a
      >> 'postfix reload' after editing main.cf.
      >
      > I do/did. Why would the white list not be consulted?

      It was. The address was wrong.

      >> Put permit_sasl_authenticated back before permit_mynetworks in
      >> smtpd_recipient_restrictions, if you are using authentication for
      >> submission via port 25.
      >
      > It seems to be working without it but I will. In any case this is not
      > effecting the white list is it?

      No.

      >> dap@... != dap1@...
      >
      > I missed that detail. I didn't think it used the FROM field since that
      > is easily spoofed. The difference is whether the mail originated on a
      > Linux box or Windows box. The bad news is that when I add that to my
      > white list it still doesn't work.

      To be clear, it's using the address provided during MAIL FROM (not the
      From: header), and you're right, that's easily spoofed. But if you want
      to use check_sender_access, that's what we're talking about, the
      envelope sender.

      >> If you want to keep things simple, use this in sender_whitelist:
      >>
      >> bellsouth.net permit_auth_destination

      > I don't really want to open it to all but I might have to try that just
      > to see if anything can get through. Will that also work if the hostname
      > is home.bellsouth.net?

      Refer to Email Address Patterns in:

      man 5 access

      or:

      http://www.postfix.org/access.5.html

      > Actually I need to get this working not just for
      > this user but for others as well. I want to make sure it all works and I
      > understand it before adding more users. These otherwise legitimate ISPs
      > that refuse to take responsibility for spam originating on their
      > networks drive me nuts. I have things pretty tight so we get very little
      > spam leaking through but there are a few legitimate sources that don't.

      Well, I sympathize, but this may be a user issue. They need to complain
      to the ISP or switch. Kudos for trying to solve their problem, but you
      may be taking on a maintenance headache. Of course, you could move your
      RBLs to a scoring system via a policy server or SpamAssassin if they are
      causing you too many problems. Using RBLs isn't required, so I guess you
      do bear some of the responsibility here.

      >> Note that you'll have to put your map *after*
      >> reject_unauth_destination if you use the bellsouth.net address for
      >> outgoing mail (in which case, you should really use their mail server,
      >> instead).
      >>
      >
      > Now I'm confused (as usual). If I send something to dap1@...
      > it will be rejected? Outgoing mail cannot go to 'bellsouth.net' as that
      > does not resolve to an smtp server. I thought postfix looked up the MX
      > record for that address instead.

      I meant you must do this if you plan to use the bellsouth.net address as
      your sender address for outgoing mail. Outgoing mail *to* bellsouth.net
      is not affected by this configuration.
    Your message has been successfully submitted and would be delivered to recipients shortly.