Set submission as to bypass RBLs

Prev: Rejecting Spam Based on Spamassassin Score
Next: mail from(Return-Path) when a mail relay via alias

From: David Cottle on 19 Apr 2010 19:07

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:

#
# Postfix master process configuration file. For details on the format
==========================================================================
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvM4hMACgkQi1lOcz5YUMjXsgCg60T9TuGn647iVqquRXnm7ECC
Uc4AoMXsS4z+fWEbIOCcMYvom36rzQZ9
=6UYQ
-----END PGP SIGNATURE-----

From: Sahil Tandon on 19 Apr 2010 20:41

---

On Tue, 20 Apr 2010, David Cottle wrote:

> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed). I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
>
> Can anyone see what is wrong in the master.cf?
>
> I just want submission on 587 able to bypass RBL checks:
>
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Your cut & paste looks horrible in my reader, but I guess the RBL is
checked somewhere in smtpd_recipient_restrictions as defined in your
main.cf?

Please show the output of 'postconf -n'.

--
Sahil Tandon <sahil(a)FreeBSD.org>

From: Noel Jones on 19 Apr 2010 21:43

---

On 4/19/2010 6:07 PM, David Cottle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am having some issues with my server blocking ISP IP addresses.
>
> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed). I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
>
> Can anyone see what is wrong in the master.cf?
>
> I just want submission on 587 able to bypass RBL checks:
>

> master.cf:
> smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
> smtpd_tls_wrappermode=yes
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Typically for both the "smtps" and "submission" entries in
master.cf, one would override all main.cf restrictions by adding:
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
-o smtpd_data_restrictions=
...
and then other stuff specific to those services such as sasl,
tls, and content/proxy filter settings.


-- Noel Jones

From: mouss on 20 Apr 2010 18:10

---

David Cottle a �crit :
> I am having some issues with my server blocking ISP IP addresses.
>
> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed). I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
>
> Can anyone see what is wrong in the master.cf?
>

Is plesk open source? can I install plesk on my freebsd?
if not, case dismissed...

From: webmaster on 22 Apr 2010 18:43

---

Quoting Noel Jones <njones(a)megan.vbhcs.org>:

> On 4/22/2010 7:59 AM, webmaster(a)aus-city.com wrote:
>>> Sorry its got all truncated. Where exactly do I need to add that in
>> here? (I added a extra line between each)
>>
>> plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
>> argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
>> /var/qmail/mailnames
>>
>> mailman unix - n n - - pipe flags=R user=mailman:mailman
>> argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
>>
>> 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
>> argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
>>
>> 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
>> smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
>> smtpd_recipient_restrictions=permit_mynetworks,reject -o
>> smtpd_data_restrictions= -o
>> receive_override_options=no_unknown_recipient_checks
>>
>> 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
>> argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
>>
>> plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
>> dbpath=/plesk/passwd.db
>>
>> smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
>> smtpd_tls_wrappermode=yes
>>
>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>> smtpd_sasl_auth_enable=yes -o
>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>
> Add here (to the submission entry)
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>
> You may also want to add these to the "smtps" entry.
>
> But this won't fix the problem of the client not authenticating.
>
> -- Noel Jones
>

Hi Noel,

I made the changes as you suggested. My submission line in master now is:

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_helo_restrictions= -o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject

 |  Next  |  Last
Pages: 1 2
Prev: Rejecting Spam Based on Spamassassin Score
Next: mail from(Return-Path) when a mail relay via alias