From: Noel Jones on
On 3/3/2010 6:40 PM, Noel Jones wrote:
> On 3/3/2010 6:13 PM, Stan Hoeppner wrote:
>> What's the best way to integrate the Spamhaus DBL for folks not already
>> using SA et al?
>>
>> Will the following work, or does it check only the entire hostname,
>> and not
>> the domain portion in isolation as well?
>>
>> smtpd_recipient_restrictions =
>> reject_rhsbl_client dbl.spamhaus.org
>>
>
> (note for the archives: that's not a complete
> smtpd_recipient_restrictions statement.)
>
> With reject_rhsbl_client, the query is for the full client name, not
> substrings. Spamhaus DBL may be more useful with reject_rhsbl_sender,
> which checks the Right Hand Side of the email address; everything after
> the "@", or maybe reject_rhsbl_helo, which checks the full HELO name.
>
> -- Noel Jones


additionally, it appears that dbl.spamhaus.org lists wildcard
subdomains. So for example if dbl lists "spammer.tld" and the
HELO name is random.foo.spammer.tld it should still be caught
by reject_rhsbl_helo.

This is good; looking forward to seeing results.

As with any new (or newly added to your config) RBL, it's
prudent to try it out for a while with warn_if_reject to
prevent accidents.

-- Noel Jones

From: Stan Hoeppner on
Noel Jones put forth on 3/3/2010 7:16 PM:

> additionally, it appears that dbl.spamhaus.org lists wildcard
> subdomains. So for example if dbl lists "spammer.tld" and the HELO name
> is random.foo.spammer.tld it should still be caught by reject_rhsbl_helo.

Checking the HELO name against the DBL is an ok start, but I'd really like
to be able to check rDNS domain name and/or A record domain name against the
DBL as well. Is there no Postfix check available for this?

> This is good; looking forward to seeing results.

Me too.

> As with any new (or newly added to your config) RBL, it's prudent to try
> it out for a while with warn_if_reject to prevent accidents.

Yep.

--
Stan

From: Stan Hoeppner on
Noel Jones put forth on 3/3/2010 7:16 PM:

>>> smtpd_recipient_restrictions =
>>> reject_rhsbl_client dbl.spamhaus.org

>> (note for the archives: that's not a complete
>> smtpd_recipient_restrictions statement.)

BTW, what is incomplete WRT the above restriction example I gave?

reject_rhsbl_client rbl_domain=d.d.d.d
Reject the request when the client hostname is listed with the A record
"d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no
"=d.d.d.d" is specified, reject the request when the client hostname is
listed with any A record under rbl_domain. See the reject_rbl_client
description above for additional RBL related configuration parameters. This
feature is available in Postfix 2.0 and later.

--
Stan

From: /dev/rob0 on
On Wed, Mar 03, 2010 at 09:29:50PM -0600, Stan Hoeppner wrote:
> Noel Jones put forth on 3/3/2010 7:16 PM:
>
> >>> smtpd_recipient_restrictions =
> >>> reject_rhsbl_client dbl.spamhaus.org
>
> >> (note for the archives: that's not a complete
> >> smtpd_recipient_restrictions statement.)
>
> BTW, what is incomplete WRT the above restriction example I gave?

I think you know; smtpd_recipient_restrictions must include a
restriction which will prevent open relaying. A "complete" way to
show a partial smtpd_recipient_restrictions example is with ellipses:
smtpd_recipient_restrictions = [ ... ]
reject_rhsbl_client dbl.spamhaus.org[, ... ]
Thus implying to the reader that more is needed here, and s/he would
be well advised to look it up in postconf(5) documentation.

It's no big deal, but someone who Googles your post could end up
frustrated.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

From: Stan Hoeppner on
/dev/rob0 put forth on 3/3/2010 10:31 PM:
> On Wed, Mar 03, 2010 at 09:29:50PM -0600, Stan Hoeppner wrote:
>> Noel Jones put forth on 3/3/2010 7:16 PM:
>>
>>>>> smtpd_recipient_restrictions =
>>>>> reject_rhsbl_client dbl.spamhaus.org
>>
>>>> (note for the archives: that's not a complete
>>>> smtpd_recipient_restrictions statement.)
>>
>> BTW, what is incomplete WRT the above restriction example I gave?
>
> I think you know; smtpd_recipient_restrictions must include a
> restriction which will prevent open relaying. A "complete" way to
> show a partial smtpd_recipient_restrictions example is with ellipses:
> smtpd_recipient_restrictions = [ ... ]
> reject_rhsbl_client dbl.spamhaus.org[, ... ]
> Thus implying to the reader that more is needed here, and s/he would
> be well advised to look it up in postconf(5) documentation.
>
> It's no big deal, but someone who Googles your post could end up
> frustrated.

Got it now. I thought I was being called out for incorrect syntax whilst
using a client restriction in the recipient restriction section. Spent 15
minutes in docs trying to figure out what I had wrong...nothing.

I'll try to be mindful and add section filler in the future to avoid this
possible problem for Googlers.

--
Stan

 |  Next  |  Last
Pages: 1 2
Prev: postfix as "dispatcher"
Next: outbound sender