Prev: Reject Notification
Next: Set submission as to bypass RBLs
From: Victor Duchovni on 21 Apr 2010 16:26
On Wed, Apr 21, 2010 at 04:04:32PM -0400, Russell Horn wrote:

> Hi,
>
> I believed I had the whole facebook IP block covered by
> /etc/postfix/access by adding the line:
>
> 69.63.176.0/20 OK
>
> And recreating the has file.

cidr != hash

Choose one or the other.

cidr:
69.63.176.0/20 OK

hash:
69.63.176 OK
69.63.177 OK
69.63.178 OK
69.63.179 OK
69.63.180 OK
69.63.181 OK
69.63.182 OK
69.63.183 OK
69.63.184 OK
69.63.185 OK
69.63.186 OK
69.63.187 OK
69.63.188 OK
69.63.189 OK
69.63.190 OK
69.63.191 OK

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Noel Jones on 21 Apr 2010 16:33
On 4/21/2010 3:04 PM, Russell Horn wrote:
> Hi,
>
> I believed I had the whole facebook IP block covered by
> /etc/postfix/access by adding the line:
>
> 69.63.176.0/20 OK
>
> And recreating the has file.

cidr: syntax is not supported in hash: files. You can list
the first three octects to simulate a /24 or your can list
each IP individually.


> paddington:~ # postconf -n
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> $virtual_mailbox_maps

$virtual_mailbox_maps should not be included in
local_recipient_maps. This implies you have a
virtual_mailbox_domain listed in mydestination; don't do that.

> maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org,
> bl.spamcop.net, blackholes.easynet.nl

The easynet.nl blacklists have been retired for years. Most
people have moved from sbl.spamhaus.org to zen.spamhaus.org.
mail-abuse.org is a subscription-only service.

RBLs are not a set-and-forget item.

Anyway, maps_rbl_domains is a deprecated syntax. You should
be using "reject_rbl_client rbl.example.com" in your
smtpd_*_restrictions instead.

[...]

You should probably set relay_domains empty if you're not
using any relay_domains

relay_domains =

> smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

Deprecated syntax. This should be
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/access
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net

> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_client_access
> hash:/etc/postfix/access, reject_unauth_destination

Open relay warning! Any client listed with OK in your access
file has relay access.

To fix this, move reject_unauth_destination BEFORE
check_client_access.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger

> hash:/etc/postfix/block,

Using a hash: file without check_{something}_access statement
is deprecated syntax. Use:
check_recipient_access hash:/etc/postfix/block

> reject_non_fqdn_hostname,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_invalid_hostname, reject_unknown_sender_domain,
> reject_unknown_client, check_relay_domains

check_relay_domains is deprecated (and doesn't do any good
here at the end of your restrictions). Remove it.


-- Noel Jones

 | 
Pages: 1
Prev: Reject Notification
Next: Set submission as to bypass RBLs