Blacklisting during submission

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Blacklisting during submission

Rich Wales
I want to check the destination addresses of e-mail sent by my local
users against one or more trusted blacklists (to reduce the chances
of my local users responding to spam mail, etc.).

But I *don't* want to check my own local domain against blacklists;
I want to skip the blacklist checks (and not pester Spamhaus et al.)
if the destination is local or something I relay to.

Would something like the following do what I need in my submission
(port 587) service?  (I'm adding line breaks for greater readability
while discussing the question here on the list.)

-o smtpd_sender_restrictions=reject_sender_login_mismatch,
        permit_sasl_authenticated,reject

-o smtpd_recipient_restrictions=permit_auth_destination,
        reject_rhsbl_recipient,dbl.spamhaus.org,
        permit_sasl_authenticated,reject

It seems a bit strange to have permit_sasl_authenticated used twice,
but apparently I have to include it as a recipient restriction (followed
by "reject") no matter what, because smtpd_recipient_restrictions is
required to include at least one of reject, defer, defer_if_permit, or
reject_unauth_destination.

So . . . .  If I understand how things work, the above *should* require
SASL authentication for anyone using my submission service (and also
require their login identity to correspond to their MAIL FROM: address
per reject_sender_login_mismatch) . . .

and assuming the user successfully authenticates, the destination
address should be accepted if it's local or something I relay to
(permit_auth_destination), *or* if it's not in the Spamhaus domain
blacklist.  The second "permit_sasl_authenticated" appears to be
required in smtpd_recipient_restrictions, but since it succeeded in
the smtpd_sender_restrictions, it should succeed the second time too.

Does this look OK?  Or is there some obscure pitfall I need to be
aware of?

Rich Wales
[hidden email]