Bypassing RBL/SA based on recipient address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bypassing RBL/SA based on recipient address

Derek-62
Hi Folks

I have tried to setup a whitelist for some domains, the idea is to have the whitelisted domains bypass RBL and spamassassin checks (ie. deliver everything!).

/etc/postfix/main.cf
smtpd_recipient_restrictions =
                              permit_mynetworks,
                              permit_sasl_authenticated,
                              permit_auth_destination,
                              check_recipient_access hash:/etc/postfix/whitelist-recipient,
                              reject_non_fqdn_hostname,
                              reject_non_fqdn_sender,
                              reject_non_fqdn_recipient,
                              reject_unknown_sender_domain,
                              reject_unauth_destination,
                              reject_rbl_client zen.spamhaus.org,
                              reject_rbl_client dnsbl.njabl.org,
                              reject_rhsbl_sender dsn.rfc-ignorant.org,
                              permit

/etc/postfix/whitelist-recipient
domain1.com OK
domain2.com OK

With the above implemented, I still get RBL checks performed on the whitelist domains.  Could this be accomplished by using "check_recipient_access" in the "smtpd_sender_restrictions" stanza? I have setup a "all_spam_to" for these domains in spamassassin but it would be nice if I can bypass it all together for the domains in question, although my main concern is bypassing RBLs
                              
Also my thoughts are it might be redundant having "reject_rbl_client" and "
reject_rhsbl_sender" under "smtpd_recipient_restrictions" - can anyone comment?

Thanks for your time, appreciate it

Cheers
Derek
Reply | Threaded
Open this post in threaded view
|

Re: Bypassing RBL/SA based on recipient address

Noel Jones-2
Derek wrote:

> Hi Folks
>
> I have tried to setup a whitelist for some domains, the idea is to have
> the whitelisted domains bypass RBL and spamassassin checks (ie. deliver
> everything!).
>
> /etc/postfix/main.cf
> smtpd_recipient_restrictions =
>                               permit_mynetworks,
>                               permit_sasl_authenticated,
>                               permit_auth_destination,
>                               check_recipient_access
> hash:/etc/postfix/whitelist-recipient,//
>                               reject_non_fqdn_hostname,
>                               reject_non_fqdn_sender,
>                               reject_non_fqdn_recipient,
>                               reject_unknown_sender_domain,
>                               reject_unauth_destination,
>                               reject_rbl_client zen.spamhaus.org,
>                               reject_rbl_client dnsbl.njabl.org,
>                               reject_rhsbl_sender dsn.rfc-ignorant.org,
>                               permit
>
> /etc/postfix/whitelist-recipient
> domain1.com OK
> domain2.com OK
>
> With the above implemented, I still get RBL checks performed on the
> whitelist domains.  

You need to show your "postconf -n" output, as requested.  The
above config will not perform any RBL checks.

    permit_mynetworks, permit_sasl_authenticated
allow authorized users.
    permit_auth_destination
allow any domain this server is responsible for

the only mail left at this point is unauthorized relay
attempts - normally a very small fraction of mail.

These unauthorized attempts will be blocked by
reject_unauth_destination.  Nothing below that will ever be
evaluated.

You can use a check_recipient_access map prior to RBL checks
to bypass the RBL restrictions, but you cannot use this method
to bypass a content_filter.

To bypass a content_filter completely, you need two separate
postfix instances, each with its own queue and config
directory.  Then you can use transport_maps to route mail to
either the content filter or the second postfix instance.
It's often easier to use a content filter that supports
whitelisting internally.

>   Could this be accomplished by using
> "check_recipient_access" in the "smtpd_sender_restrictions" stanza? I
> have setup a "all_spam_to" for these domains in spamassassin but it
> would be nice if I can bypass it all together for the domains in
> question, although my main concern is bypassing RBLs
>                              
> Also my thoughts are it might be redundant having "reject_rbl_client"
> and "reject_rhsbl_sender" under "smtpd_recipient_restrictions" - can
> anyone comment?

It's redundant to have any restriction listed more than once.
  It's common to list all restrictions under
smtpd_recipient_restrictions so you can easily see the order
they are performed in, and so you only have to whitelist once.

# basic main.cf config
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   ... local whitelists ...
   ... local blacklists ...
   ... local UCE checks (RBLs etc.) ...


>
> Thanks for your time, appreciate it
>
> Cheers
> Derek

--
Noel Jones