Loading ...
Sorry, an error occurred while loading the content.

Gateway Spam Recipient Restrictions?

Expand Messages
  • Fire walls
    Had been reading a postfix manuals and info from Internet. I m running spam server with FreeBSD 8.2 + Postfix 2.8.x, single domain. Internet -- spam server--
    Message 1 of 5 , Apr 26, 2011
    • 0 Attachment

        Had been reading a postfix manuals and info from Internet.

        I'm running spam server with FreeBSD 8.2 + Postfix 2.8.x, single domain.

        Internet -->spam server--> mail server -->Internal Network.

        The gateway is working, but I still doing changes to block most of the spam that touch my server, I'm working right now just with Postfix, latter I will continue with clamais,amavis,sa.

        Now, I want to use the smtpd_recipient_restrictions -> reject_rbl_client blackholes.

      I want to enable zen spamhaus org

        But once I reload or restart Postfix, the function of this feature is to check if the from is in the list right?

      smtpd_recipient_restrictions =
              permit_mynetworks,
              reject_unauth_destination,
              reject_non_fqdn_hostname,
              reject_non_fqdn_sender,
              reject_non_fqdn_recipient,
              reject_invalid_hostname,
              reject_non_fqdn_helo_hostname,
              reject_unknown_sender_domain,
              reject_unknown_recipient_domain,
              check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre,
              check_helo_access hash:/usr/local/etc/postfix/helo_checks,
              check_sender_access hash:/usr/local/etc/postfix/sender_checks,
              check_client_access hash:/usr/local/etc/postfix/client_checks,
              reject_rbl_client zen spamhaus org,
              check_policy_service inet:192 168 40 5:10023,
              permit

      But my log don't show any info about went postfix check spamhaus, my fw won't show any blocks.

      Next,for a gateway spam server, the _rbl_client is better to be in the smtpd_recipients_restrictions?

      Do I'm wrong or something is not working as desire?

      Thanks for your time!!!!
      --
      :-)
    • Noel Jones
      ... It must have periods in it, reject_rbl_client zen.spamhaus.org Without the periods it will create an error in your maillog. If there is no error, then
      Message 2 of 5 , Apr 26, 2011
      • 0 Attachment
        On 4/26/2011 3:00 AM, Fire walls wrote:
        >
        > Had been reading a postfix manuals and info from Internet.
        >
        > I'm running spam server with FreeBSD 8.2 + Postfix 2.8.x,
        > single domain.
        >
        > Internet -->spam server--> mail server -->Internal Network.
        >
        > The gateway is working, but I still doing changes to block
        > most of the spam that touch my server, I'm working right now
        > just with Postfix, latter I will continue with clamais,amavis,sa.
        >
        > Now, I want to use the smtpd_recipient_restrictions ->
        > reject_rbl_client blackholes.
        >
        > I want to enable zen spamhaus org
        >
        > But once I reload or restart Postfix, the function of this
        > feature is to check if the from is in the list right?
        >
        > smtpd_recipient_restrictions =
        > permit_mynetworks,
        > reject_unauth_destination,
        > reject_non_fqdn_hostname,
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_invalid_hostname,
        > reject_non_fqdn_helo_hostname,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,
        > check_recipient_access
        > pcre:/usr/local/etc/postfix/recipient_checks.pcre,
        > check_helo_access
        > hash:/usr/local/etc/postfix/helo_checks,
        > check_sender_access
        > hash:/usr/local/etc/postfix/sender_checks,
        > check_client_access
        > hash:/usr/local/etc/postfix/client_checks,
        > reject_rbl_client zen spamhaus org,

        It must have periods in it,
        reject_rbl_client zen.spamhaus.org

        Without the periods it will create an error in your maillog.
        If there is no error, then either this isn't the config you're
        really using, or one of your earlier rules is returning OK or
        permit.


        > check_policy_service inet:192 168 40 5:10023,

        Does this policy service work as expected? It doesn't have
        any periods in the IP address and should also generate an error.

        > permit
        >
        > But my log don't show any info about went postfix check
        > spamhaus, my fw won't show any blocks.

        Next time show us "postconf -n" output rather than random
        snippings.

        Enable query logging in your DNS server to see if spamhaus.org
        lookups are being performed.

        >
        > Next,for a gateway spam server, the _rbl_client is better to
        > be in the smtpd_recipients_restrictions?

        Most people put it in smtpd_recipient_restrictions, just after
        reject_unauth_destination and an optional check_client_access
        whitelist.

        smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        # uncomment next line if you need a client whitelist
        # check_client_access cidr:/etc/postfix/client_whitelist.cidr
        reject_rbl_client zen.spamhaus.org
        ... other local restrictions ...


        where the optional client_whitelist contains IPs of clients
        you want mail from that might otherwise be rejected by zen (or
        other local rules).


        -- Noel Jones
      • Fire walls
        ... reject_rbl_client zen.spamhaus.org check_policy_service inet:192.168.40.5:10023 ... dig spamhaus.org ... I want to add, that I can receive mails from know
        Message 3 of 5 , Apr 26, 2011
        • 0 Attachment
          On Tue, Apr 26, 2011 at 6:16 AM, Noel Jones <njones@...> wrote:
          On 4/26/2011 3:00 AM, Fire walls wrote:

            Had been reading a postfix manuals and info from Internet.

            I'm running spam server with FreeBSD 8.2 + Postfix 2.8.x,
          single domain.

            Internet -->spam server--> mail server -->Internal Network.

            The gateway is working, but I still doing changes to block
          most of the spam that touch my server, I'm working right now
          just with Postfix, latter I will continue with clamais,amavis,sa.

            Now, I want to use the smtpd_recipient_restrictions ->
          reject_rbl_client blackholes.

          I want to enable zen spamhaus org

            But once I reload or restart Postfix, the function of this
          feature is to check if the from is in the list right?

          smtpd_recipient_restrictions =
                  permit_mynetworks,
                  reject_unauth_destination,
                  reject_non_fqdn_hostname,
                  reject_non_fqdn_sender,
                  reject_non_fqdn_recipient,
                  reject_invalid_hostname,
                  reject_non_fqdn_helo_hostname,
                  reject_unknown_sender_domain,
                  reject_unknown_recipient_domain,
                  check_recipient_access
          pcre:/usr/local/etc/postfix/recipient_checks.pcre,
                  check_helo_access
          hash:/usr/local/etc/postfix/helo_checks,
                  check_sender_access
          hash:/usr/local/etc/postfix/sender_checks,
                  check_client_access
          hash:/usr/local/etc/postfix/client_checks,
                  reject_rbl_client zen spamhaus org,

          It must have periods in it,

                  reject_rbl_client zen.spamhaus.org

          Without the periods it will create an error in your maillog. If there is no error, then either this isn't the config you're really using, or one of your earlier rules is returning OK or permit.

          My settings  have period,I just remove from here,sorry:

          reject_rbl_client zen.spamhaus.org
          check_policy_service inet:192.168.40.5:10023


                  check_policy_service inet:192 168 40 5:10023,

          Does this policy service work as expected?  It doesn't have any periods in the IP address and should also generate an error.

          Yes,works.


                  permit

          But my log don't show any info about went postfix check
          spamhaus, my fw won't show any blocks.

          Next time show us "postconf -n" output rather than random snippings.

          Enable query logging in your DNS server to see if spamhaus.org lookups are being performed.


          If I test the domain in my dns server an resolve without issue.

          dig spamhaus.org
           

          Next,for a gateway spam server, the _rbl_client is better to
          be in the smtpd_recipients_restrictions?

          Most people put it in smtpd_recipient_restrictions, just after reject_unauth_destination and an optional check_client_access whitelist.


          smtpd_recipient_restrictions =
           permit_mynetworks
           reject_unauth_destination
          # uncomment next line if you need a client whitelist
          # check_client_access cidr:/etc/postfix/client_whitelist.cidr

           reject_rbl_client zen.spamhaus.org
           ... other local restrictions ...


          where the optional client_whitelist contains IPs of clients you want mail from that might otherwise be rejected by zen (or other local rules).


           -- Noel Jones

          I want to add, that I can receive mails from know outside users and they pass all the rules but never see my server check the spamhaus.org or my default log level won't show them?

          Peter I will remove some checks, I have a lot.

          Thanks!!!

          --
          :-)
        • Noel Jones
          ... Postfix does not log successful rbl checks. The spamhaus site describes the procedure to check their service using dig or host. Turn on query logging in
          Message 4 of 5 , Apr 26, 2011
          • 0 Attachment
            On 4/26/2011 11:51 AM, Fire walls wrote:
            > On Tue, Apr 26, 2011 at 6:16 AM, Noel Jones
            > <njones@... <mailto:njones@...>> wrote:
            >
            > On 4/26/2011 3:00 AM, Fire walls wrote:
            >
            >
            > Had been reading a postfix manuals and info from
            > Internet.
            >
            > I'm running spam server with FreeBSD 8.2 + Postfix
            > 2.8.x,
            > single domain.
            >
            > Internet -->spam server--> mail server -->Internal
            > Network.
            >
            > The gateway is working, but I still doing changes
            > to block
            > most of the spam that touch my server, I'm working
            > right now
            > just with Postfix, latter I will continue with
            > clamais,amavis,sa.
            >
            > Now, I want to use the smtpd_recipient_restrictions ->
            > reject_rbl_client blackholes.
            >
            > I want to enable zen spamhaus org
            >
            > But once I reload or restart Postfix, the function
            > of this
            > feature is to check if the from is in the list right?
            >
            > smtpd_recipient_restrictions =
            > permit_mynetworks,
            > reject_unauth_destination,
            > reject_non_fqdn_hostname,
            > reject_non_fqdn_sender,
            > reject_non_fqdn_recipient,
            > reject_invalid_hostname,
            > reject_non_fqdn_helo_hostname,
            > reject_unknown_sender_domain,
            > reject_unknown_recipient_domain,
            > check_recipient_access
            > pcre:/usr/local/etc/postfix/recipient_checks.pcre,
            > check_helo_access
            > hash:/usr/local/etc/postfix/helo_checks,
            > check_sender_access
            > hash:/usr/local/etc/postfix/sender_checks,
            > check_client_access
            > hash:/usr/local/etc/postfix/client_checks,
            > reject_rbl_client zen spamhaus org,
            >
            >
            > It must have periods in it,
            >
            > reject_rbl_client zen.spamhaus.org
            > <http://zen.spamhaus.org>
            >
            > Without the periods it will create an error in your
            > maillog. If there is no error, then either this isn't the
            > config you're really using, or one of your earlier rules
            > is returning OK or permit.
            >
            > My settings have period,I just remove from here,sorry:
            >
            > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>
            > check_policy_service inet:192.168.40.5:10023
            > <http://192.168.40.5:10023>
            >
            >
            >
            > check_policy_service inet:192 168 40 5:10023,
            >
            >
            > Does this policy service work as expected? It doesn't
            > have any periods in the IP address and should also
            > generate an error.
            >
            > Yes,works.
            >
            >
            > permit
            >
            > But my log don't show any info about went postfix check
            > spamhaus, my fw won't show any blocks.
            >
            >
            > Next time show us "postconf -n" output rather than random
            > snippings.
            >
            > Enable query logging in your DNS server to see if
            > spamhaus.org <http://spamhaus.org> lookups are being
            > performed.
            >
            >
            > If I test the domain in my dns server an resolve without issue.
            >
            > dig spamhaus.org <http://spamhaus.org>
            >
            >
            > Next,for a gateway spam server, the _rbl_client is
            > better to
            > be in the smtpd_recipients_restrictions?
            >
            >
            > Most people put it in smtpd_recipient_restrictions, just
            > after reject_unauth_destination and an optional
            > check_client_access whitelist.
            >
            >
            > smtpd_recipient_restrictions =
            > permit_mynetworks
            > reject_unauth_destination
            > # uncomment next line if you need a client whitelist
            > # check_client_access cidr:/etc/postfix/client_whitelist.cidr
            >
            > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>
            > ... other local restrictions ...
            >
            >
            > where the optional client_whitelist contains IPs of
            > clients you want mail from that might otherwise be
            > rejected by zen (or other local rules).
            >
            >
            > -- Noel Jones
            >
            >
            > I want to add, that I can receive mails from know outside
            > users and they pass all the rules but never see my server
            > check the spamhaus.org <http://spamhaus.org> or my default log
            > level won't show them?
            >
            > Peter I will remove some checks, I have a lot.
            >
            > Thanks!!!
            >
            > --
            > :-)

            Postfix does not log successful rbl checks. The spamhaus site
            describes the procedure to check their service using dig or
            host. Turn on query logging in your DNS server to verify that
            postfix is performing the rbl lookups.

            If you have more questions, don't waste your and others time
            posting inaccurate and incomplete information.
            http://www.postfix.org/DEBUG_README.html#mail


            -- Noel Jones
          • Fire walls
            ... Sorry Sr. --
            Message 5 of 5 , Apr 26, 2011
            • 0 Attachment
              On Tue, Apr 26, 2011 at 11:43 AM, Noel Jones <njones@...> wrote:
              On 4/26/2011 11:51 AM, Fire walls wrote:
              On Tue, Apr 26, 2011 at 6:16 AM, Noel Jones
              <njones@... <mailto:njones@...>> wrote:

                 On 4/26/2011 3:00 AM, Fire walls wrote:


                        Had been reading a postfix manuals and info from
                     Internet.

                        I'm running spam server with FreeBSD 8.2 + Postfix
                     2.8.x,
                     single domain.

                        Internet -->spam server--> mail server -->Internal
                     Network.

                        The gateway is working, but I still doing changes
                     to block
                     most of the spam that touch my server, I'm working
                     right now
                     just with Postfix, latter I will continue with
                     clamais,amavis,sa.

                        Now, I want to use the smtpd_recipient_restrictions ->
                     reject_rbl_client blackholes.

                     I want to enable zen spamhaus org

                        But once I reload or restart Postfix, the function
                     of this
                     feature is to check if the from is in the list right?

                     smtpd_recipient_restrictions =
                              permit_mynetworks,
                              reject_unauth_destination,
                              reject_non_fqdn_hostname,
                              reject_non_fqdn_sender,
                              reject_non_fqdn_recipient,
                              reject_invalid_hostname,
                              reject_non_fqdn_helo_hostname,
                              reject_unknown_sender_domain,
                              reject_unknown_recipient_domain,
                              check_recipient_access
                     pcre:/usr/local/etc/postfix/recipient_checks.pcre,
                              check_helo_access
                     hash:/usr/local/etc/postfix/helo_checks,
                              check_sender_access
                     hash:/usr/local/etc/postfix/sender_checks,
                              check_client_access
                     hash:/usr/local/etc/postfix/client_checks,
                              reject_rbl_client zen spamhaus org,


                 It must have periods in it,

                          reject_rbl_client zen.spamhaus.org
                 <http://zen.spamhaus.org>


                 Without the periods it will create an error in your
                 maillog. If there is no error, then either this isn't the
                 config you're really using, or one of your earlier rules
                 is returning OK or permit.

              My settings  have period,I just remove from here,sorry:

              reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>

              check_policy_service inet:192.168.40.5:10023
              <http://192.168.40.5:10023>




                              check_policy_service inet:192 168 40 5:10023,


                 Does this policy service work as expected?  It doesn't
                 have any periods in the IP address and should also
                 generate an error.

              Yes,works.


                              permit

                     But my log don't show any info about went postfix check
                     spamhaus, my fw won't show any blocks.


                 Next time show us "postconf -n" output rather than random
                 snippings.

                 Enable query logging in your DNS server to see if
                 spamhaus.org <http://spamhaus.org> lookups are being

                 performed.


              If I test the domain in my dns server an resolve without issue.

              dig spamhaus.org <http://spamhaus.org>



                     Next,for a gateway spam server, the _rbl_client is
                     better to
                     be in the smtpd_recipients_restrictions?


                 Most people put it in smtpd_recipient_restrictions, just
                 after reject_unauth_destination and an optional
                 check_client_access whitelist.


                 smtpd_recipient_restrictions =
                   permit_mynetworks
                   reject_unauth_destination
                 # uncomment next line if you need a client whitelist
                 # check_client_access cidr:/etc/postfix/client_whitelist.cidr

                   reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>

                   ... other local restrictions ...


                 where the optional client_whitelist contains IPs of
                 clients you want mail from that might otherwise be
                 rejected by zen (or other local rules).


                   -- Noel Jones


              I want to add, that I can receive mails from know outside
              users and they pass all the rules but never see my server
              check the spamhaus.org <http://spamhaus.org> or my default log

              level won't show them?

              Peter I will remove some checks, I have a lot.

              Thanks!!!

              --
              :-)

              Postfix does not log successful rbl checks.  The spamhaus site describes the procedure to check their service using dig or host.  Turn on query logging in your DNS server to verify that postfix is performing the rbl lookups.

              If you have more questions, don't waste your and others time posting inaccurate and incomplete information.
              http://www.postfix.org/DEBUG_README.html#mail


               -- Noel Jones


                Sorry Sr.

              --
              :-)
            Your message has been successfully submitted and would be delivered to recipients shortly.