Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

white list with sorbs

0 views
Skip to first unread message

Belkie, Dan

unread,
Dec 16, 2003, 1:41:23 PM12/16/03
to
Hey Guys!

I thought I had this figured out but I am still getting blocks.

I have sorbs in as a RBL. It really seems to block allot of SPAM.
However I have one server that seems to be on the sorbs list that I need to
white list.

I have added them to my good_sender.map
@lancer.sasktel.net OK
lancer.sasktel.net OK
142.165.19.5 OK

and here is the order of things in my main.cf

transport_maps = hash:/etc/postfix/transport
relay_domains = hash:/etc/postfix/relayed_domains.map, $mynetworks
biff = no
bounce_size_limit = 512
default_process_limit = 2000
deliver_lock_attempts = 5
deliver_lock_delay = 1
fork_attempts = 5
fork_delay = 1
hash_queue_depth = 2
initial_destination_concurrency = 10
local_transport = error:local mail delivery is disabled on this machine
maximal_backoff_time = 4000
maximal_queue_lifetime = 3h
message_size_limit = 1000000000
minimal_backoff_time = 300
myorigin = forzani.com
queue_minfree = 100000000
queue_run_delay = 100s
smtpd_helo_required = yes
smtpd_sender_restrictions = reject_unauth_pipelining, reject_non_fqdn_sender
smtpd_timeout = 90s
smtpd_helo_restrictions = permit_mynetworks
reject_rbl_client = dynablock.easynet.nl, dialups.visi.com, bl.spamcop.net,
sbl.spamhaus.org, relays.ordb.org


smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/bad_recipient.map,
check_sender_access hash:/etc/postfix/good_sender.map,
check_recipient_access hash:/etc/postfix/good_recipient.map,
check_client_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/spamlist-extended.map,
check_client_access hash:/etc/postfix/forged_check.map,
check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_maps_rbl,
permit

maps_rbl_domains = dnsbl.sorbs.net
smtpd_client_restrictions = reject_maps_rbl

If this is wrong can some point out how I can whitelist this server?

Thanks in advance!

Dan

Peter_S...@support.trendmicro.com

unread,
Dec 16, 2003, 1:53:09 PM12/16/03
to
Dan,

Under your smtpd_client_restrictions, place good_sender.map before the
reject_maps_rbl

Incidentally, reject_maps_rbl is already depreciated.. Please upgrade to
postfix 2.16....

Peter

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Belkie, Dan
Sent: Wednesday, December 17, 2003 2:19 AM
To: 'Postfix users'
Subject: white list with sorbs

Hey Guys!

I thought I had this figured out but I am still getting blocks.

I have sorbs in as a RBL. It really seems to block allot of SPAM.
However I have one server that seems to be on the sorbs list that I need
to white list.

I have added them to my good_sender.map
@lancer.sasktel.net OK
lancer.sasktel.net OK
142.165.19.5 OK

and here is the order of things in my main.cf

transport_maps =3D hash:/etc/postfix/transport relay_domains =3D
hash:/etc/postfix/relayed_domains.map, $mynetworks biff =3D no
bounce_size_limit =3D 512 default_process_limit =3D 2000
deliver_lock_attempts =3D 5 deliver_lock_delay =3D 1 fork_attempts =3D 5
fork_delay =3D 1 hash_queue_depth =3D 2 initial_destination_concurrency =
=3D 10
local_transport =3D error:local mail delivery is disabled on this =
machine
maximal_backoff_time =3D 4000 maximal_queue_lifetime =3D 3h
message_size_limit =3D 1000000000 minimal_backoff_time =3D 300 myorigin =
=3D
forzani.com queue_minfree =3D 100000000 queue_run_delay =3D 100s
smtpd_helo_required =3D yes smtpd_sender_restrictions =3D
reject_unauth_pipelining, reject_non_fqdn_sender smtpd_timeout =3D 90s
smtpd_helo_restrictions =3D permit_mynetworks reject_rbl_client =3D


dynablock.easynet.nl, dialups.visi.com, bl.spamcop.net,
sbl.spamhaus.org, relays.ordb.org


smtpd_recipient_restrictions =3D


reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/bad_recipient.map,
check_sender_access hash:/etc/postfix/good_sender.map,
check_recipient_access hash:/etc/postfix/good_recipient.map,
check_client_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/spamlist-extended.map,
check_client_access hash:/etc/postfix/forged_check.map,
check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_maps_rbl,
permit

maps_rbl_domains =3D dnsbl.sorbs.net
smtpd_client_restrictions =3D reject_maps_rbl

Peter_S...@support.trendmicro.com

unread,
Dec 16, 2003, 1:56:37 PM12/16/03
to
Oops.. Let me rephrase that

smtpd_client_restrictions =3D=20
check_sender_access hash:/etc/postfix/good_sender.map,
reject_maps_rbl

Your entry should be like that....

Peter
=20

Jeff Gojkovich

unread,
Dec 16, 2003, 1:57:57 PM12/16/03
to

> I thought I had this figured out but I am still getting blocks.
>
> I have sorbs in as a RBL. It really seems to block allot of SPAM.
> However I have one server that seems to be on the sorbs list that I need
> to
> white list.
>
> I have added them to my good_sender.map
> @lancer.sasktel.net OK
> lancer.sasktel.net OK
> 142.165.19.5 OK
>
> and here is the order of things in my main.cf

> smtpd_recipient_restrictions =


> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> permit_mynetworks,
> reject_unauth_destination,
> check_recipient_access hash:/etc/postfix/bad_recipient.map,

Change this line to check_client_access

check_sender_access hash:/etc/postfix/good_sender.map,


> check_recipient_access hash:/etc/postfix/good_recipient.map,
> check_client_access hash:/etc/postfix/bad_domain.map,
> check_sender_access hash:/etc/postfix/bad_domain.map,
> check_sender_access hash:/etc/postfix/spamlist-extended.map,
> check_client_access hash:/etc/postfix/forged_check.map,
> check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_maps_rbl,
> permit
>

> maps_rbl_domains = dnsbl.sorbs.net
> smtpd_client_restrictions = reject_maps_rbl


>
> If this is wrong can some point out how I can whitelist this server?
>
> Thanks in advance!


Also, what version of postfix are you using? If newer use
reject_rbl_client dnsbl.sorbs.net in the smtpd_client_restrictions list
and remove the reject_maps_rbl as it is going away.


--
Jeff

Rob Foehl

unread,
Dec 16, 2003, 2:35:37 PM12/16/03
to
On Tue, 16 Dec 2003, Belkie, Dan wrote:

> I thought I had this figured out but I am still getting blocks.
>
> I have sorbs in as a RBL. It really seems to block allot of SPAM.
> However I have one server that seems to be on the sorbs list that I need to
> white list.
>
> I have added them to my good_sender.map
> @lancer.sasktel.net OK
> lancer.sasktel.net OK
> 142.165.19.5 OK
>
> and here is the order of things in my main.cf

[snip]

> reject_rbl_client = dynablock.easynet.nl, dialups.visi.com, bl.spamcop.net,
> sbl.spamhaus.org, relays.ordb.org

This doesn't do anything.

> smtpd_recipient_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> permit_mynetworks,
> reject_unauth_destination,
> check_recipient_access hash:/etc/postfix/bad_recipient.map,

> check_sender_access hash:/etc/postfix/good_sender.map,
> check_recipient_access hash:/etc/postfix/good_recipient.map,
> check_client_access hash:/etc/postfix/bad_domain.map,
> check_sender_access hash:/etc/postfix/bad_domain.map,
> check_sender_access hash:/etc/postfix/spamlist-extended.map,
> check_client_access hash:/etc/postfix/forged_check.map,
> check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_maps_rbl,
> permit
>
> maps_rbl_domains = dnsbl.sorbs.net
> smtpd_client_restrictions = reject_maps_rbl

Deprecated.

> If this is wrong can some point out how I can whitelist this server?

Try something like this instead:

maps_rbl_domains =
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =

smtpd_recipient_restrictions =


reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/bad_recipient.map,

check_sender_access hash:/etc/postfix/good_sender.map,
check_recipient_access hash:/etc/postfix/good_recipient.map,
check_client_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/bad_domain.map,
check_sender_access hash:/etc/postfix/spamlist-extended.map,
check_client_access hash:/etc/postfix/forged_check.map,
check_helo_access hash:/etc/postfix/helo_hostname_forged.map,
reject_unknown_sender_domain,

reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client dialups.visi.com,
permit

smtpd_data_restrictions = reject_unauth_pipelining

A few things: You can just omit the empty parameters from the config
entirely, as they're empty by default; reject_unknown_recipient_domain
wasn't necessary, and reject_unauth_pipelining only makes sense in
smtpd_data_restrictions. I left the map ordering alone, but I get the
feeling that they're more complex than necessary; you may want to
re-evaluate the ordering and/or necessity yourself. Finally, since you're
having trouble with SORBS, you might want to restrict which of their zones
you use, instead of just using the combined zone. See their site for
more info. RBL ordering is something you should look at after a few
weeks, and changed depending on which ones get the most hits to save
unnecessary DNS lookups. dynablock.easynet.nl is gone;
dul.dnsbl.sorbs.net includes it, but you're already using that
indirectly..

Hope this helps.

-Rob

0 new messages