allowing certain email addresses blocked by dnsbl.sorbs.net

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

allowing certain email addresses blocked by dnsbl.sorbs.net

James D. Parra
Hello,

What is the best way to allow a particular e-mail address through
smtps_client_restrictions and still block the other positive hits for the
rule?

From main.cf
<snip>
transport_maps = hash:/etc/postfix/transport
smtpd_client_restrictions =
        permit_mynetworks
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        permit
<snip>

I have an Earthlink user that I want to allow mail through. (Client host
[209.86.89.66] blocked using dnsbl.sorbs.net)

Many thanks,

James
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

Jimbo-3
James D. Parra wrote:

> Hello,
>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
> Many thanks,
>
> James
>
>  

smtpd_client_restrictions =
        permit_mynetworks
        check_client_access cidr:/etc/postfix/whitelist.cidr
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        permit

/etc/postfix/whitelist.cidr:
209.86.89.66/32 OK

If this client shouldn't be able to relay, this check should come after
reject_unauth_destination but still before the reject_rbl_client.
Reply | Threaded
Open this post in threaded view
|

RE: allowing certain email addresses blocked by dnsbl.sorbs.net

James D. Parra
In reply to this post by James D. Parra
-----Original Message-----
From: Jimbo [mailto:[hidden email]]
Sent: Monday, June 02, 2008 2:36 PM
To: James D. Parra
Cc: Posfix. Org (E-mail)
Subject: Re: allowing certain email addresses blocked by dnsbl.sorbs.net


James D. Parra wrote:

> Hello,
>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
> Many thanks,
>
> James
>
>  

smtpd_client_restrictions =
        permit_mynetworks
        check_client_access cidr:/etc/postfix/whitelist.cidr
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        permit

/etc/postfix/whitelist.cidr:
209.86.89.66/32 OK

If this client shouldn't be able to relay, this check should come after
reject_unauth_destination but still before the reject_rbl_client.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Many thanks, Jim, however I only want one e-mail address (for now) to be
allowed through. For example; [hidden email] OK.

Is that possible? Also, I don't want any relaying whatsoever.

Thank you,

James
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

mouss-2
In reply to this post by James D. Parra
James D. Parra wrote:

> Hello,
>
> What is the best way to allow a particular e-mail address through
> smtps_client_restrictions and still block the other positive hits for the
> rule?
>
> From main.cf
> <snip>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
>  

$ host 66.89.86.209.dnsbl.sorbs.net
Host 66.89.86.209.dnsbl.sorbs.net not found: 3(NXDOMAIN)

people keep incriminating sorbs for things they don't block... shall we
see apologies?

BTW:

$ host 207.47.100.34
34.100.47.207.in-addr.arpa domain name pointer
207.47.100.34.static.musicreports.com.
$ host 207.47.100.34.static.musicreports.com.
Host 207.47.100.34.static.musicreports.com not found: 3(NXDOMAIN)

generic dns and unknown...


anyway, the way to do it is to whitelist the client:

smtpd_client_restrictions =
        permit_mynetworks
        check_client_access cidr:/etc/postfix/client_wl
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        permit

== client_wl
192.0.2.0/24      OK


avoid relying on sender addresses because they are easily forged, and
because you will get mail from other addresses in the same network, ... etc.




> Many thanks,
>
> James
>  

Reply | Threaded
Open this post in threaded view
|

RE: allowing certain email addresses blocked by dnsbl.sorbs.net

James D. Parra
In reply to this post by James D. Parra
-----Original Message-----
From: mouss [mailto:[hidden email]]
Sent: Monday, June 02, 2008 5:15 PM
Cc: Posfix. Org (E-mail)
Subject: Re: allowing certain email addresses blocked by dnsbl.sorbs.net


James D. Parra wrote:

> Hello,
>
> What is the best way to allow a particular e-mail address through
> smtps_client_restrictions and still block the other positive hits for the
> rule?
>
> From main.cf
> <snip>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
>  

$ host 66.89.86.209.dnsbl.sorbs.net
Host 66.89.86.209.dnsbl.sorbs.net not found: 3(NXDOMAIN)

people keep incriminating sorbs for things they don't block... shall we
see apologies?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<
I am not incriminating them; that is the error that is returned to the
sender. Here is another example in my logs;

Jun  2 18:04:28 mailserver postfix/smtpd[885]: NOQUEUE: reject: RCPT from
elasmtp-junco.atl.sa.earthlink.net[209.86.89.63]: 554 Service unavailable;
Client h
ost [209.86.89.63] blocked using dnsbl.sorbs.net; Currently Sending Spam
See: http://www.sorbs.net/lookup.shtml?209.86.89.63; 


BTW:

$ host 207.47.100.34
34.100.47.207.in-addr.arpa domain name pointer
207.47.100.34.static.musicreports.com.
$ host 207.47.100.34.static.musicreports.com.
Host 207.47.100.34.static.musicreports.com not found: 3(NXDOMAIN)

generic dns and unknown...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<
For my own edification, what is the problem here? Not trying to be rude,
just want to understand. Thank you.
>

anyway, the way to do it is to whitelist the client:

smtpd_client_restrictions =
        permit_mynetworks
        check_client_access cidr:/etc/postfix/client_wl
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        permit

== client_wl
192.0.2.0/24      OK


avoid relying on sender addresses because they are easily forged, and
because you will get mail from other addresses in the same network, ... etc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I understand that a particular mail address may be forged, but for this
instance I want to at least try whitelisting the e-mail address. When it
comes to Earthlink's mail servers and maybe those of other ISPs, they have
many outbound mail servers with different IP addresses. If I white list the
IP address, then actual Spam from that address will get through and I'll
need to add every IP address for Earthlink's mail servers.

There must be a good way to white on an e-mail address by e-mail address
basis.

Our postfix server is setup to scan mail and then send it on to another
internal mail server. There are no accounts on the postfix server.


Thank you again for responding and I respect your experience and sound
advice.

Best regards,

~James
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

Ralf Hildebrandt
In reply to this post by Jimbo-3
* Jimbo <[hidden email]>:

> smtpd_client_restrictions =
>        permit_mynetworks
> check_client_access cidr:/etc/postfix/whitelist.cidr
>        reject_rbl_client dnsbl.sorbs.net
>        reject_rbl_client zen.spamhaus.org
>        reject_rbl_client bl.spamcop.net
>        permit
>
> /etc/postfix/whitelist.cidr:
> 209.86.89.66/32 OK
>
> If this client shouldn't be able to relay, this check should come after  
> reject_unauth_destination but still before the reject_rbl_client.

NO, relaying decisions are made in smtrpd_recipient_restrictions.
This setup here is OK.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
No sig. Move along - nothing to see here.
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

José Luís Faria
In reply to this post by James D. Parra
Bom dia,

(estou a teclar de Braga, Portugal).

embora já administre servidores com postfix há alguns anos, só há uma
semana é que subscrevi esta lista. Já agora é uma lista excelente e por
isso venho pedir a Vossa opinião.


Os nossos servidores, com postfix, são usados apenas para recepção de
email, conjuntamente com o nosso servidor de LDAP. Temos nos servidores
uma solução da TrenMicro para anti-spam e anti-malware.
Como temos a licença da TrenMicro usamos o comando: reject_rbl_client
com um código para um dos servidores da Trend, que funciona muito bem.
O servidor da TrendMicro é mail-abuse.com

Nesta mensagem vi que usam os servidores:


 >         reject_rbl_client dnsbl.sorbs.net
 >         reject_rbl_client zen.spamhaus.org
 >         reject_rbl_client bl.spamcop.net

e talvez acrescentasse mais estes à lista de consultas.

Por isso queria perguntar se estes servidores são bons e se são de
confiança. Isto é, se estão sem quebras ou problemas frequentemente?

muito obrigado.

    :)  cumprimentos
----------------------
José Luís Faria
Network Eng./Administrador de Sistemas
Cisco Certified Network Associate
Departamento de Informática
Universidade do Minho


James D. Parra wrote:

> Hello,
>
> What is the best way to allow a particular e-mail address through
> smtps_client_restrictions and still block the other positive hits for the
> rule?
>
> From main.cf
> <snip>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
> Many thanks,
>
> James


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

José Luís Faria
Hello all,

I'm sorry my last message.
I wrote the message thinking in the same list in Brasil.
my excuses.

by the way,

I'm using the server of TrendMicro mail-abuse.com.

I'm asking if these servers:
 >  >         reject_rbl_client dnsbl.sorbs.net
 >  >         reject_rbl_client zen.spamhaus.org
 >  >         reject_rbl_client bl.spamcop.net

work fine?

thanks in advance.


    :)  cumprimentos
----------------------
José Luís Faria
Network Eng./Administrador de Sistemas
Cisco Certified Network Associate
Departamento de Informática
Universidade do Minho


José Luís Faria wrote:

> Bom dia,
>
> (estou a teclar de Braga, Portugal).
>
> embora já administre servidores com postfix há alguns anos, só há uma
> semana é que subscrevi esta lista. Já agora é uma lista excelente e por
> isso venho pedir a Vossa opinião.
>
>
> Os nossos servidores, com postfix, são usados apenas para recepção de
> email, conjuntamente com o nosso servidor de LDAP. Temos nos servidores
> uma solução da TrenMicro para anti-spam e anti-malware.
> Como temos a licença da TrenMicro usamos o comando: reject_rbl_client
> com um código para um dos servidores da Trend, que funciona muito bem.
> O servidor da TrendMicro é mail-abuse.com
>
> Nesta mensagem vi que usam os servidores:
>
>
>  >         reject_rbl_client dnsbl.sorbs.net
>  >         reject_rbl_client zen.spamhaus.org
>  >         reject_rbl_client bl.spamcop.net
>
> e talvez acrescentasse mais estes à lista de consultas.
>
> Por isso queria perguntar se estes servidores são bons e se são de
> confiança. Isto é, se estão sem quebras ou problemas frequentemente?
>
> muito obrigado.
>
>    :)  cumprimentos
> ----------------------
> José Luís Faria
> Network Eng./Administrador de Sistemas
> Cisco Certified Network Associate
> Departamento de Informática
> Universidade do Minho
>
>
> James D. Parra wrote:
>> Hello,
>>
>> What is the best way to allow a particular e-mail address through
>> smtps_client_restrictions and still block the other positive hits for the
>> rule?
>>
>> From main.cf
>> <snip>
>> transport_maps = hash:/etc/postfix/transport
>> smtpd_client_restrictions =
>>         permit_mynetworks
>>         reject_rbl_client dnsbl.sorbs.net
>>         reject_rbl_client zen.spamhaus.org
>>         reject_rbl_client bl.spamcop.net
>>         permit
>> <snip>
>>
>> I have an Earthlink user that I want to allow mail through. (Client host
>> [209.86.89.66] blocked using dnsbl.sorbs.net)
>>
>> Many thanks,
>>
>> James
>


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

mouss-2
In reply to this post by James D. Parra
James D. Parra wrote:

> -----Original Message-----
> From: mouss [mailto:[hidden email]]
> Sent: Monday, June 02, 2008 5:15 PM
> Cc: Posfix. Org (E-mail)
> Subject: Re: allowing certain email addresses blocked by dnsbl.sorbs.net
>
>
> [snip]
>
> $ host 207.47.100.34
> 34.100.47.207.in-addr.arpa domain name pointer
> 207.47.100.34.static.musicreports.com.
> $ host 207.47.100.34.static.musicreports.com.
> Host 207.47.100.34.static.musicreports.com not found: 3(NXDOMAIN)
>
> generic dns and unknown...
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> <
> For my own edification, what is the problem here? Not trying to be rude,
> just want to understand. Thank you.
>  

the "hostname" (207.47...) is "generic". Many sites block such IPs in
email. In addition, the hostname doesn't resolve, which makes things worst.
If you can, setup (or ask for) a custom reverse dns (one without a
reverse IP in it... etc) that is "verified" (so called FcrDNS). in
short, if you resolve the IP, you get a name. if you resolve this name,
you should get the original IP.

While I am in, fix the helo, because it doesn't resolve

$ host smtp-relay.musicreports.com
Host smtp-relay.musicreports.com not found: 3(NXDOMAIN)



>
> anyway, the way to do it is to whitelist the client:
>
> smtpd_client_restrictions =
>         permit_mynetworks
> check_client_access cidr:/etc/postfix/client_wl
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
>
> == client_wl
> 192.0.2.0/24      OK
>
>
> avoid relying on sender addresses because they are easily forged, and
> because you will get mail from other addresses in the same network, ... etc.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I understand that a particular mail address may be forged, but for this
> instance I want to at least try whitelisting the e-mail address. When it
> comes to Earthlink's mail servers and maybe those of other ISPs, they have
> many outbound mail servers with different IP addresses. If I white list the
> IP address, then actual Spam from that address will get through and I'll
> need to add every IP address for Earthlink's mail servers.
>
> There must be a good way to white on an e-mail address by e-mail address
> basis.
>  

just replace the check_client_access line with
    check_sender_access hash:/etc/postfix/sender_wl

== sender_wl:
[hidden email]      OK
# whietlist a whole domain
example.org                 OK


Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

Alexandre Gorges
In reply to this post by José Luís Faria
Hello José.

essa lista deve ser falada em inglês.

speak english please.


[]´s
Alexandre Gorges - @ASA

http://algorges.blogspot.com

----- Original Message -----
From: "José Luís Faria" <[hidden email]>
To: "James D. Parra" <[hidden email]>
Cc: "Posfix. Org (E-mail)" <[hidden email]>
Sent: Tuesday, June 03, 2008 11:09 AM
Subject: Re: allowing certain email addresses blocked by dnsbl.sorbs.net


Bom dia,

(estou a teclar de Braga, Portugal).

embora já administre servidores com postfix há alguns anos, só há uma
semana é que subscrevi esta lista. Já agora é uma lista excelente e por
isso venho pedir a Vossa opinião.


Os nossos servidores, com postfix, são usados apenas para recepção de
email, conjuntamente com o nosso servidor de LDAP. Temos nos servidores
uma solução da TrenMicro para anti-spam e anti-malware.
Como temos a licença da TrenMicro usamos o comando: reject_rbl_client
com um código para um dos servidores da Trend, que funciona muito bem.
O servidor da TrendMicro é mail-abuse.com

Nesta mensagem vi que usam os servidores:


 >         reject_rbl_client dnsbl.sorbs.net
 >         reject_rbl_client zen.spamhaus.org
 >         reject_rbl_client bl.spamcop.net

e talvez acrescentasse mais estes à lista de consultas.

Por isso queria perguntar se estes servidores são bons e se são de
confiança. Isto é, se estão sem quebras ou problemas frequentemente?

muito obrigado.

    :)  cumprimentos
----------------------
José Luís Faria
Network Eng./Administrador de Sistemas
Cisco Certified Network Associate
Departamento de Informática
Universidade do Minho


James D. Parra wrote:

> Hello,
>
> What is the best way to allow a particular e-mail address through
> smtps_client_restrictions and still block the other positive hits for the
> rule?
>
> From main.cf
> <snip>
> transport_maps = hash:/etc/postfix/transport
> smtpd_client_restrictions =
>         permit_mynetworks
>         reject_rbl_client dnsbl.sorbs.net
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client bl.spamcop.net
>         permit
> <snip>
>
> I have an Earthlink user that I want to allow mail through. (Client host
> [209.86.89.66] blocked using dnsbl.sorbs.net)
>
> Many thanks,
>
> James


Reply | Threaded
Open this post in threaded view
|

Re: allowing certain email addresses blocked by dnsbl.sorbs.net

Jimbo-3
In reply to this post by Ralf Hildebrandt
Ralf Hildebrandt wrote:

> * Jimbo <[hidden email]>:
>
>  
>> smtpd_client_restrictions =
>>        permit_mynetworks
>> check_client_access cidr:/etc/postfix/whitelist.cidr
>>        reject_rbl_client dnsbl.sorbs.net
>>        reject_rbl_client zen.spamhaus.org
>>        reject_rbl_client bl.spamcop.net
>>        permit
>>
>> /etc/postfix/whitelist.cidr:
>> 209.86.89.66/32 OK
>>
>> If this client shouldn't be able to relay, this check should come after  
>> reject_unauth_destination but still before the reject_rbl_client.
>>    
>
> NO, relaying decisions are made in smtrpd_recipient_restrictions.
> This setup here is OK.
>  
You are absolutely correct, for some reason I read recipient.  That'll
teach me to not proofread.