Re: postscreen questions
- Deeztek Support:
> > Manual whitelisting.Not having seen your configuration I showed one example.
> > /etc/postfix/main.cf:
> > smtpd_recipient_restrictions =
> > ...
> > reject_unauth_destination
> > check_sender_access hash:/etc/postfix/sender_access
> > reject_unknown_sender_domain
> > /etc/postfix/sender_access:
> > rotary.org OK
> So check_sender_access hash:/etc/postfix/sender_access should be
> removed from the smtpd_sender_restrictions and instead only have
> it in the smtpd_recipient_restrictions?
You can instead use
> Additionally, I noticed that you placed check_sender_access rightYes you could.
> above reject_unknown_sender_domain would it be better to also place
> above the following?:
- On 22 May 2013, at 14:33 , Stan Hoeppner <stan@...> wrote:
> I'll make an educated guess that many folks here have configuredI'm one of those. I don't NEED it, but it has reduced the load on my hardware significantly because far less mail is hitting spamd.
> postscreen simply because it was/is "the new thing", without considering
> whether they -needed- it or not. Many have run into the same address
> based whitelisting problem mentioned here, and either ditched
> postscreen, or spent hours/days trying to tweak it just right.
In the words of one of the founding Igors: 'We belong dead? Ecthcuthe
me? Where doeth it thay "we"?'
- On 5/23/2013 10:23 AM, Wietse Venema wrote:
> Deeztek Support:You may also want to look into automatic whitelisting. IIRC a daemon
>> On another topic, I had an issue the other day where an outside
>> sender was trying to send e-mail to an internal recipient and their
>> e-mail was getting delayed due to a DNS issue on their end. The
>> exact error was:
>> (Host or domain name not found. Name service error for name=rotary.org
>> type=MX: Host not found, try again)
>> I'm assuming this was happenning due to the reject_unknown_sender_domain
>> in my smtpd_recipient_restrictions. It eventually got fixed and
>> the e-mail was able to get delivered however in the meantime what
>> would be the best way to bypass that person's e-mail address so
>> that e-mail will still get delivered even though their server is
> Manual whitelisting.
> smtpd_recipient_restrictions =
> check_sender_access hash:/etc/postfix/sender_access
> rotary.org OK
> Postfix currently does not remember the result of previous
> reject_unknown_sender_domain tests, so it cannot automatically
> permit a site to send mail based on previous results.
exists for this. You'll have to look around.
Some time ago Viktor and I knocked out a basic shell script that does
this. It scans the mail log file for successful deliveries and adds the
recipient address to a whiltelist. Once your Postix has delivered to an
address it will always accept mail from that address, assuming you check
this table before other restrictions. The script with basic
instructions is here:
Depending on your mail flow and other factors, you may want to cron it
more frequently than suggested. I've been using this on Debian for a
couple of years now and it works great. This is designed for use on an
MX that also does all outbound delivery. It's easily adaptable for
split setups or farms. I described one way of doing so previously. It
should be in the list archives somewhere.
- On 23 May 2013, at 10:49, Deeztek Support wrote:
> On another topic, I had an issue the other day where an outside senderThis specific error message is very commonly the result of a resolver
> was trying to send e-mail to an internal recipient and their e-mail
> was getting
> delayed due to a DNS issue on their end. The exact error was:
> (Host or domain name not found. Name service error for name=rotary.org
> type=MX: Host not found, try again)
being tricked by purely local IPv6 existence (i.e. auto-configured
interfaces and link-local addresses) into trying to query other DNS
servers over IPv6. All 5 NS records for rotary.org point to names with
both A and AAAA (IPv6) records, which makes that a plausible root cause.