RBL & Postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

RBL & Postfix

neugi
Hi,

i want to use RBL Blocking with postfix. but i've got a small i've many users that work with  mobile internet (UMTS Modem from T-Mobile) and often they are listed and users are complaining that they cannot send emails out.

my question is now. can i restrict rbl only to incoming mails or is there a list that will not list mobile users form t-Mobile?

best
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Udo Rader
neugi schrieb:
> Hi,
>
> i want to use RBL Blocking with postfix. but i've got a small i've many
> users that work with  mobile internet (UMTS Modem from T-Mobile) and
> often they are listed and users are complaining that they cannot send
> emails out.
>
> my question is now. can i restrict rbl only to incoming mails or is
> there a list that will not list mobile users form t-Mobile?

use SASL to make users authenticate to your server (SMTP authentication)
and give sasl authenticated connections precendece like this:

smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_rbl_client your.rbl.list,
    [...]


see http://www.postfix.org/SASL_README.html

--
Udo Rader
http://www.bestsolution.at

Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Udo Rader
Udo Rader schrieb:

> neugi schrieb:
>> Hi,
>>
>> i want to use RBL Blocking with postfix. but i've got a small i've
>> many users that work with  mobile internet (UMTS Modem from T-Mobile)
>> and often they are listed and users are complaining that they cannot
>> send emails out.
>>
>> my question is now. can i restrict rbl only to incoming mails or is
>> there a list that will not list mobile users form t-Mobile?
>
> use SASL to make users authenticate to your server (SMTP authentication)
> and give sasl authenticated connections precendece like this:
>
> smtpd_client_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    reject_rbl_client your.rbl.list,
>    [...]

sorry, this should read

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_rbl_client your.rbl.list,
    [...]

--
Udo Rader
http://www.bestsolution.at
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
In reply to this post by Udo Rader
Hi,

thx, sasl is already active.

i'll give it a try by adding zen.spamhaus.org

best

2008/12/15 Udo Rader <[hidden email]>
neugi schrieb:

Hi,

i want to use RBL Blocking with postfix. but i've got a small i've many users that work with  mobile internet (UMTS Modem from T-Mobile) and often they are listed and users are complaining that they cannot send emails out.

my question is now. can i restrict rbl only to incoming mails or is there a list that will not list mobile users form t-Mobile?

use SASL to make users authenticate to your server (SMTP authentication) and give sasl authenticated connections precendece like this:

smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_rbl_client your.rbl.list,
  [...]


see http://www.postfix.org/SASL_README.html

--
Udo Rader
http://www.bestsolution.at


Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

lst_hoe02
Zitat von neugi <[hidden email]>:

> Hi,
>
> thx, sasl is already active.

In this case you have the wrong order of restrictions. The  
"permit_sasl_authenticated" must be before any RBL and other spam  
tests. Most of the time it is best to set it on top of all  
restrictions. This way for SASL authenticated user no checks are done  
at all.

Regards

Andreas



Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Erwan David
On Mon, Dec 15, 2008 at 11:11:07AM CET, [hidden email] said:

> Zitat von neugi <[hidden email]>:
>
>> Hi,
>>
>> thx, sasl is already active.
>
> In this case you have the wrong order of restrictions. The  
> "permit_sasl_authenticated" must be before any RBL and other spam tests.
> Most of the time it is best to set it on top of all restrictions. This way
> for SASL authenticated user no checks are done at all.

And put permit_mynetworks just next to it.

--
Erwan
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
In reply to this post by lst_hoe02
Hi,

permit_sasl_authenticated is already the first entry ;)

right now i looks like this:

smtpd_recipient_restrictions =
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_rbl_client sbl.spamhaus.org,
          reject_unauth_destination,
          reject_non_fqdn_recipient,
          reject_non_fqdn_sender,
          reject_unauth_pipelining,
          reject_unknown_recipient_domain,
          reject_unknown_sender_domain,
          check_policy_service inet:127.0.0.1:60000

best

2008/12/15 <[hidden email]>
Zitat von neugi <[hidden email]>:


Hi,

thx, sasl is already active.

In this case you have the wrong order of restrictions. The "permit_sasl_authenticated" must be before any RBL and other spam tests. Most of the time it is best to set it on top of all restrictions. This way for SASL authenticated user no checks are done at all.

Regards

Andreas




Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

mouss-2
neugi a écrit :

> Hi,
>
> permit_sasl_authenticated is already the first entry ;)
>
> right now i looks like this:
>
> smtpd_recipient_restrictions =
>           permit_sasl_authenticated,
>           permit_mynetworks,
>           reject_rbl_client sbl.spamhaus.org <http://sbl.spamhaus.org>,
>           reject_unauth_destination,
>           reject_non_fqdn_recipient,
>           reject_non_fqdn_sender,
>           reject_unauth_pipelining,
>           reject_unknown_recipient_domain,
>           reject_unknown_sender_domain,
>           check_policy_service inet:127.0.0.1:60000 <http://127.0.0.1:60000>
>

better order (and removal of useless checks):

smtpd_recipient_restrictions =
           reject_non_fqdn_recipient,
           reject_non_fqdn_sender,
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_unauth_destination,
           reject_unknown_sender_domain,
           reject_rbl_client sbl.spamhaus.org
           check_policy_service inet:127.0.0.1:60000


PS1. when posting from gmail, hit the "text" button. those <http://...>
things are ugly.

PS2. do not top post. put your replies after the text you reply to.
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

lst_hoe02
In reply to this post by neugi
Zitat von neugi <[hidden email]>:

> Hi,
>
> permit_sasl_authenticated is already the first entry ;)
>
> right now i looks like this:
>
> smtpd_recipient_restrictions =
>           permit_sasl_authenticated,
>           permit_mynetworks,
>           reject_rbl_client sbl.spamhaus.org,
>           reject_unauth_destination,
>           reject_non_fqdn_recipient,
>           reject_non_fqdn_sender,
>           reject_unauth_pipelining,
>           reject_unknown_recipient_domain,
>           reject_unknown_sender_domain,
>           check_policy_service inet:127.0.0.1:60000


So you have other restrictions set in  
smtpd_(clients/helo/sender/recipient)_restrictions set or your clients  
do not authenticate per SASL.

Regards

Andreas


Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
2008/12/15  <[hidden email]>:

> Zitat von neugi <[hidden email]>:
>
>> Hi,
>>
>> permit_sasl_authenticated is already the first entry ;)
>>
>> right now i looks like this:
>>
>> smtpd_recipient_restrictions =
>>          permit_sasl_authenticated,
>>          permit_mynetworks,
>>          reject_rbl_client sbl.spamhaus.org,
>>          reject_unauth_destination,
>>          reject_non_fqdn_recipient,
>>          reject_non_fqdn_sender,
>>          reject_unauth_pipelining,
>>          reject_unknown_recipient_domain,
>>          reject_unknown_sender_domain,
>>          check_policy_service inet:127.0.0.1:60000
>
>
> So you have other restrictions set in
> smtpd_(clients/helo/sender/recipient)_restrictions set or your clients do
> not authenticate per SASL.
>
> Regards
>
> Andreas
>
>
>

complete config:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, $mydomain,
mysql:/etc/postfix/mysql-mydestination.cf
mailbox_size_limit = 0
recipient_delimiter = +

mydomain = domain.com
myhostname = domain.com


mailbox_transport = cyrus
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_rbl_client sbl.spamhaus.org,
          reject_unauth_destination,
          reject_non_fqdn_recipient,
          reject_non_fqdn_sender,
          reject_unauth_pipelining,
          reject_unknown_recipient_domain,
          reject_unknown_sender_domain,
          check_policy_service inet:127.0.0.1:60000

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

# TLS
smtpd_use_tls = yes

# smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/mailserver.cert
smtpd_tls_key_file = /etc/postfix/mailserver.key
smtpd_tls_CAfile = /etc/postfix/mailserver.cert
message_size_limit = 40240000
mynetworks = 127.0.0.0/8

best
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Charles Marcus
On 12/15/2008, neugi ([hidden email]) wrote:
> complete config:

Always show output of postconf -n, not copy/paste from main.cf...

Someone else recently discovered they were editing the wrong main.cf
file this way...

Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
2008/12/15 Charles Marcus <[hidden email]>:
> On 12/15/2008, neugi ([hidden email]) wrote:
>> complete config:
>
> Always show output of postconf -n, not copy/paste from main.cf...
>
> Someone else recently discovered they were editing the wrong main.cf
> file this way...
>
>

output of postconf -n


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
message_size_limit = 40240000
mydestination = $myhostname, $mydomain,
mysql:/etc/postfix/mysql-mydestination.cf
mydomain = domain.com
myhostname = domain.com
mynetworks = 127.0.0.0/8
recipient_delimiter = +
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,          reject_rbl_client sbl.spamhaus.org,
  reject_unauth_destination,          reject_non_fqdn_recipient,
   reject_non_fqdn_sender,          reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,          check_policy_service
inet:127.0.0.1:60000
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/mailserver.cert
smtpd_tls_cert_file = /etc/postfix/mailserver.cert
smtpd_tls_key_file = /etc/postfix/mailserver.key
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

lst_hoe02
In reply to this post by neugi
Zitat von neugi <[hidden email]>:

> 2008/12/15  <[hidden email]>:
>> Zitat von neugi <[hidden email]>:
>>
>>> Hi,
>>>
>>> permit_sasl_authenticated is already the first entry ;)
>>>
>>> right now i looks like this:
>>>
>>> smtpd_recipient_restrictions =
>>>          permit_sasl_authenticated,
>>>          permit_mynetworks,
>>>          reject_rbl_client sbl.spamhaus.org,
>>>          reject_unauth_destination,
>>>          reject_non_fqdn_recipient,
>>>          reject_non_fqdn_sender,
>>>          reject_unauth_pipelining,
>>>          reject_unknown_recipient_domain,
>>>          reject_unknown_sender_domain,
>>>          check_policy_service inet:127.0.0.1:60000
>>
>>
>> So you have other restrictions set in
>> smtpd_(clients/helo/sender/recipient)_restrictions set or your clients do
>> not authenticate per SASL.
>>
>> Regards
>>
>> Andreas
>>
>>
>>
>
> complete config:
>
> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
>
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> mydestination = $myhostname, $mydomain,
> mysql:/etc/postfix/mysql-mydestination.cf
> mailbox_size_limit = 0
> recipient_delimiter = +
>
> mydomain = domain.com
> myhostname = domain.com
>
>
> mailbox_transport = cyrus
> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
> sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
>
> smtpd_sasl_auth_enable = yes
> smtpd_recipient_restrictions =
>           permit_sasl_authenticated,
>           permit_mynetworks,
>           reject_rbl_client sbl.spamhaus.org,
>           reject_unauth_destination,
>           reject_non_fqdn_recipient,
>           reject_non_fqdn_sender,
>           reject_unauth_pipelining,
>           reject_unknown_recipient_domain,
>           reject_unknown_sender_domain,
>           check_policy_service inet:127.0.0.1:60000
>
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain =
> broken_sasl_auth_clients = yes
>
> # TLS
> smtpd_use_tls = yes
>
> # smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/mailserver.cert
> smtpd_tls_key_file = /etc/postfix/mailserver.key
> smtpd_tls_CAfile = /etc/postfix/mailserver.cert
> message_size_limit = 40240000
> mynetworks = 127.0.0.0/8
>
> best
>



Logfile entry which shows a authenticated client rejected by RBL ??

Regards

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
2008/12/15  <[hidden email]>:

> Zitat von neugi <[hidden email]>:
>
>> 2008/12/15  <[hidden email]>:
>>>
>>> Zitat von neugi <[hidden email]>:
>>>
>>>> Hi,
>>>>
>>>> permit_sasl_authenticated is already the first entry ;)
>>>>
>>>> right now i looks like this:
>>>>
>>>> smtpd_recipient_restrictions =
>>>>         permit_sasl_authenticated,
>>>>         permit_mynetworks,
>>>>         reject_rbl_client sbl.spamhaus.org,
>>>>         reject_unauth_destination,
>>>>         reject_non_fqdn_recipient,
>>>>         reject_non_fqdn_sender,
>>>>         reject_unauth_pipelining,
>>>>         reject_unknown_recipient_domain,
>>>>         reject_unknown_sender_domain,
>>>>         check_policy_service inet:127.0.0.1:60000
>>>
>>>
>>> So you have other restrictions set in
>>> smtpd_(clients/helo/sender/recipient)_restrictions set or your clients do
>>> not authenticate per SASL.
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>>
>>>
>>
>> complete config:
>>
>> # See /usr/share/postfix/main.cf.dist for a commented, more complete
>> version
>>
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> biff = no
>>
>> # appending .domain is the MUA's job.
>> append_dot_mydomain = no
>>
>> # Uncomment the next line to generate "delayed mail" warnings
>> #delay_warning_time = 4h
>>
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> mydestination = $myhostname, $mydomain,
>> mysql:/etc/postfix/mysql-mydestination.cf
>> mailbox_size_limit = 0
>> recipient_delimiter = +
>>
>> mydomain = domain.com
>> myhostname = domain.com
>>
>>
>> mailbox_transport = cyrus
>> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
>> sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_recipient_restrictions =
>>          permit_sasl_authenticated,
>>          permit_mynetworks,
>>          reject_rbl_client sbl.spamhaus.org,
>>          reject_unauth_destination,
>>          reject_non_fqdn_recipient,
>>          reject_non_fqdn_sender,
>>          reject_unauth_pipelining,
>>          reject_unknown_recipient_domain,
>>          reject_unknown_sender_domain,
>>          check_policy_service inet:127.0.0.1:60000
>>
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_local_domain =
>> broken_sasl_auth_clients = yes
>>
>> # TLS
>> smtpd_use_tls = yes
>>
>> # smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/postfix/mailserver.cert
>> smtpd_tls_key_file = /etc/postfix/mailserver.key
>> smtpd_tls_CAfile = /etc/postfix/mailserver.cert
>> message_size_limit = 40240000
>> mynetworks = 127.0.0.0/8
>>
>> best
>>
>
>
>
> Logfile entry which shows a authenticated client rejected by RBL ??
>
> Regards
>
> Andreas
>
>

right now i can't find any entry, any keyword(s) i've to look at?

best
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Charles Marcus
In reply to this post by neugi
On 12/15/2008, neugi ([hidden email]) wrote:
> smtpd_recipient_restrictions = permit_sasl_authenticated,
>   permit_mynetworks, reject_rbl_client sbl.spamhaus.org,
>   reject_unauth_destination, reject_non_fqdn_recipient,
>   reject_non_fqdn_sender, reject_unauth_pipelining,
>   reject_unknown_recipient_domain, reject_unknown_sender_domain,
>   check_policy_service inet:127.0.0.1:60000

First, put reject_unauth_destination BEFORE reject_rbl_client - this
will prevent lots of unnecessary DNS queries...

As for your problem, the only thing I can think of is your users are not
actually using sasl_auth?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

neugi
how can i check if users use sasl or not?
are there any special settings in the mailclient?

best

2008/12/15 Charles Marcus <[hidden email]>:

> On 12/15/2008, neugi ([hidden email]) wrote:
>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>   permit_mynetworks, reject_rbl_client sbl.spamhaus.org,
>>   reject_unauth_destination, reject_non_fqdn_recipient,
>>   reject_non_fqdn_sender, reject_unauth_pipelining,
>>   reject_unknown_recipient_domain, reject_unknown_sender_domain,
>>   check_policy_service inet:127.0.0.1:60000
>
> First, put reject_unauth_destination BEFORE reject_rbl_client - this
> will prevent lots of unnecessary DNS queries...
>
> As for your problem, the only thing I can think of is your users are not
> actually using sasl_auth?
>
> --
>
> Best regards,
>
> Charles
>
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Udo Rader
neugi schrieb:

> how can i check if users use sasl or not?
> are there any special settings in the mailclient?
>
> best
>
> 2008/12/15 Charles Marcus <[hidden email]>:
>> On 12/15/2008, neugi ([hidden email]) wrote:
>>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>>   permit_mynetworks, reject_rbl_client sbl.spamhaus.org,
>>>   reject_unauth_destination, reject_non_fqdn_recipient,
>>>   reject_non_fqdn_sender, reject_unauth_pipelining,
>>>   reject_unknown_recipient_domain, reject_unknown_sender_domain,
>>>   check_policy_service inet:127.0.0.1:60000
>> First, put reject_unauth_destination BEFORE reject_rbl_client - this
>> will prevent lots of unnecessary DNS queries...
>>
>> As for your problem, the only thing I can think of is your users are not
>> actually using sasl_auth?

1. check the logs, there should be lines like these

------CUT----
Dec 14 08:34:39 hel postfix/smtpd[9845]: 7566CBC05FE:
client=client.example.com[192.168.17.34], sasl_method=CRAM-MD5,
sasl_username=whoever
------CUT----

if not, your users are not using SMTP auth and this is a client side issue.

2. please don't top post :-)

--
Udo Rader
http://www.bestsolution.at
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Benny Pedersen
In reply to this post by neugi

On Mon, December 15, 2008 11:19, neugi wrote:

> smtpd_recipient_restrictions =
....

smtpd_recipient_restrictions =
           reject_non_fqdn_sender,
           reject_unknown_sender_domain,
           permit_sasl_authenticated,
           permit_mynetworks,
           reject_non_fqdn_recipient,
           reject_unknown_recipient_domain,
           reject_rbl_client sbl.spamhaus.org,
           reject_unauth_destination,
           reject_unauth_pipelining,
           check_policy_service inet:127.0.0.1:60000

this will make sure senders is fqdn and the domain exists olso from
your clients, or use http://www.postfwd.org/

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Charles Marcus
On 12/15/2008 2:34 PM, Benny Pedersen wrote:

> On Mon, December 15, 2008 11:19, neugi wrote:
>
>> smtpd_recipient_restrictions =
> ....
>
> smtpd_recipient_restrictions =
>            reject_non_fqdn_sender,
>            reject_unknown_sender_domain,
>            permit_sasl_authenticated,
>            permit_mynetworks,
>            reject_non_fqdn_recipient,
>            reject_unknown_recipient_domain,
>            reject_rbl_client sbl.spamhaus.org,
>            reject_unauth_destination,
>            reject_unauth_pipelining,
>            check_policy_service inet:127.0.0.1:60000

No...

reject_unauth_destination should definitely be before reject_rbl_client
(move it up to right after 'permit_mynetworks) - and
reject_unauth_pipelining is useless here...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: RBL & Postfix

Benny Pedersen

On Mon, December 15, 2008 21:11, Charles Marcus wrote:

> reject_unauth_destination should definitely be before
> reject_rbl_client

ups i forget this when writed it

> (move it up to right after 'permit_mynetworks) - and
> reject_unauth_pipelining is useless here...

not my mailserver


--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

12