Loading ...
Sorry, an error occurred while loading the content.

Re: postscreen questions

Expand Messages
  • Wietse Venema
    ... Not having seen your configuration I showed one example. You can instead use smtpd_sender_restrictions check_sender_access hash:/etc/postfix/sender_access
    Message 1 of 23 , May 23, 2013
    • 0 Attachment
      Deeztek Support:
      > > Manual whitelisting.
      >
      > > /etc/postfix/main.cf:
      > > smtpd_recipient_restrictions =
      > > ...
      > > reject_unauth_destination
      > > check_sender_access hash:/etc/postfix/sender_access
      > > reject_unknown_sender_domain
      >
      > > /etc/postfix/sender_access:
      > > rotary.org OK
      >
      >
      >
      > So check_sender_access hash:/etc/postfix/sender_access should be
      > removed from the smtpd_sender_restrictions and instead only have
      > it in the smtpd_recipient_restrictions?

      Not having seen your configuration I showed one example.

      You can instead use

      smtpd_sender_restrictions
      check_sender_access hash:/etc/postfix/sender_access
      reject_unknown_sender_domain

      > Additionally, I noticed that you placed check_sender_access right
      > above reject_unknown_sender_domain would it be better to also place
      > above the following?:

      Yes you could.

      Wietse
    • LuKreme
      ... I m one of those. I don t NEED it, but it has reduced the load on my hardware significantly because far less mail is hitting spamd. -- In the words of one
      Message 2 of 23 , May 23, 2013
      • 0 Attachment
        On 22 May 2013, at 14:33 , Stan Hoeppner <stan@...> wrote:

        > I'll make an educated guess that many folks here have configured
        > postscreen simply because it was/is "the new thing", without considering
        > whether they -needed- it or not. Many have run into the same address
        > based whitelisting problem mentioned here, and either ditched
        > postscreen, or spent hours/days trying to tweak it just right.

        I'm one of those. I don't NEED it, but it has reduced the load on my hardware significantly because far less mail is hitting spamd.

        --
        In the words of one of the founding Igors: 'We belong dead? Ecthcuthe
        me? Where doeth it thay "we"?'
      • Stan Hoeppner
        ... You may also want to look into automatic whitelisting. IIRC a daemon exists for this. You ll have to look around. Some time ago Viktor and I knocked out
        Message 3 of 23 , May 23, 2013
        • 0 Attachment
          On 5/23/2013 10:23 AM, Wietse Venema wrote:
          > Deeztek Support:
          >> On another topic, I had an issue the other day where an outside
          >> sender was trying to send e-mail to an internal recipient and their
          >> e-mail was getting delayed due to a DNS issue on their end. The
          >> exact error was:
          >>
          >> (Host or domain name not found. Name service error for name=rotary.org
          >> type=MX: Host not found, try again)
          >>
          >> I'm assuming this was happenning due to the reject_unknown_sender_domain
          >> in my smtpd_recipient_restrictions. It eventually got fixed and
          >> the e-mail was able to get delivered however in the meantime what
          >> would be the best way to bypass that person's e-mail address so
          >> that e-mail will still get delivered even though their server is
          >> misconfigured?
          >
          > Manual whitelisting.
          >
          > /etc/postfix/main.cf:
          > smtpd_recipient_restrictions =
          > ...
          > reject_unauth_destination
          > check_sender_access hash:/etc/postfix/sender_access
          > reject_unknown_sender_domain
          >
          > /etc/postfix/sender_access:
          > rotary.org OK
          >
          > Postfix currently does not remember the result of previous
          > reject_unknown_sender_domain tests, so it cannot automatically
          > permit a site to send mail based on previous results.
          >
          > Wietse


          You may also want to look into automatic whitelisting. IIRC a daemon
          exists for this. You'll have to look around.

          Some time ago Viktor and I knocked out a basic shell script that does
          this. It scans the mail log file for successful deliveries and adds the
          recipient address to a whiltelist. Once your Postix has delivered to an
          address it will always accept mail from that address, assuming you check
          this table before other restrictions. The script with basic
          instructions is here:

          http://www.hardwarefreak.com/whtlst_gen.sh.txt

          Depending on your mail flow and other factors, you may want to cron it
          more frequently than suggested. I've been using this on Debian for a
          couple of years now and it works great. This is designed for use on an
          MX that also does all outbound delivery. It's easily adaptable for
          split setups or farms. I described one way of doing so previously. It
          should be in the list archives somewhere.

          --
          Stan
        • Bill Cole
          ... This specific error message is very commonly the result of a resolver being tricked by purely local IPv6 existence (i.e. auto-configured interfaces and
          Message 4 of 23 , May 23, 2013
          • 0 Attachment
            On 23 May 2013, at 10:49, Deeztek Support wrote:

            > On another topic, I had an issue the other day where an outside sender
            > was trying to send e-mail to an internal recipient and their e-mail
            > was getting
            > delayed due to a DNS issue on their end. The exact error was:
            >
            > (Host or domain name not found. Name service error for name=rotary.org
            > type=MX: Host not found, try again)


            This specific error message is very commonly the result of a resolver
            being tricked by purely local IPv6 existence (i.e. auto-configured
            interfaces and link-local addresses) into trying to query other DNS
            servers over IPv6. All 5 NS records for rotary.org point to names with
            both A and AAAA (IPv6) records, which makes that a plausible root cause.
          Your message has been successfully submitted and would be delivered to recipients shortly.