place reject_rbl_client rules in a separate file

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

place reject_rbl_client rules in a separate file

Вадим Бажов
Hi, list !
I need to place rbl rules with domains in a separate file and connect it to postfix via access map directive.

Let's say something like this:

smtpd_recipient_restrictions =
   permit_mynetworks
   reject_unauth_destination
   check_recipient_access hash:/etc/postfix/rbl_rules

/etc/postfix/rbl_rules :
reject_rbl_client zen.spamhaus.org
reject_rbl_client rbl.rbldns.ru
reject_rbl_client b.barracudacentral.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net

I need it to be highly flexible. To let people in my network configure DNSBL server list whenever they want.

How can i do that ?




Reply | Threaded
Open this post in threaded view
|

Re: place reject_rbl_client rules in a separate file

Wietse Venema
????? ?????:

> Hi, list !
> I need to place rbl rules with domains in a separate file and connect it
> to postfix via access map directive.
>
> Let's say something like this:
>
> > smtpd_recipient_restrictions =
> >    permit_mynetworks
> >    reject_unauth_destination
> >    check_recipient_access hash:/etc/postfix/rbl_rules
>
> /etc/postfix/rbl_rules :
> > reject_rbl_client zen.spamhaus.org
> > reject_rbl_client rbl.rbldns.ru
> > reject_rbl_client b.barracudacentral.org
> > reject_rbl_client dnsbl.sorbs.net
> > reject_rbl_client bl.spamcop.net
>
> I need it to be highly flexible. To let people in my network configure
> DNSBL server list whenever they want.
>
> How can i do that ?

Use an SQL database.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
Hello, Wietse.
Is there any documentation or configuration snippets regarding rbl and
database ?

On 28.04.2016 13:28, Wietse Venema wrote:

> ????? ?????:
>> Hi, list !
>> I need to place rbl rules with domains in a separate file and connect it
>> to postfix via access map directive.
>>
>> Let's say something like this:
>>
>>> smtpd_recipient_restrictions =
>>>     permit_mynetworks
>>>     reject_unauth_destination
>>>     check_recipient_access hash:/etc/postfix/rbl_rules
>> /etc/postfix/rbl_rules :
>>> reject_rbl_client zen.spamhaus.org
>>> reject_rbl_client rbl.rbldns.ru
>>> reject_rbl_client b.barracudacentral.org
>>> reject_rbl_client dnsbl.sorbs.net
>>> reject_rbl_client bl.spamcop.net
>> I need it to be highly flexible. To let people in my network configure
>> DNSBL server list whenever they want.
>>
>> How can i do that ?
> Use an SQL database.
>
> Wietse

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Wietse Venema
????? ?????:
> Hello, Wietse.
> Is there any documentation or configuration snippets regarding rbl and
> database ?

Documentation: man 5 access.

Just use mysql:/etc/postfix/file instead of hash:/etc/postfix/file.
Postfix makes the same queries whether you use hash/btree/lmdb or
mysql/pgsql/ldap.

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/per_recipient_rules
        ...

/etc/postfix/per_recipient_rules:
    # most example.com recipients are RBL protected, some are not.
    example.com reject_rbl_client zen.spamhaus.org, reject_rbl_client rbl.rbldns.ru, ...
    [hidden email] dunno
    ...

        Wietse

> On 28.04.2016 13:28, Wietse Venema wrote:
> > ????? ?????:
> >> Hi, list !
> >> I need to place rbl rules with domains in a separate file and connect it
> >> to postfix via access map directive.
> >>
> >> Let's say something like this:
> >>
> >>> smtpd_recipient_restrictions =
> >>>     permit_mynetworks
> >>>     reject_unauth_destination
> >>>     check_recipient_access hash:/etc/postfix/rbl_rules
> >> /etc/postfix/rbl_rules :
> >>> reject_rbl_client zen.spamhaus.org
> >>> reject_rbl_client rbl.rbldns.ru
> >>> reject_rbl_client b.barracudacentral.org
> >>> reject_rbl_client dnsbl.sorbs.net
> >>> reject_rbl_client bl.spamcop.net
> >> I need it to be highly flexible. To let people in my network configure
> >> DNSBL server list whenever they want.
> >>
> >> How can i do that ?
> > Use an SQL database.
> >
> > Wietse
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
Ok, got it.
But this way to place all DNSBL services to a separate file needs me to
set a recipient domain that i protect with rbl_reject chekings (i.e.
example.com).
Is there a simpler way without setting a recipient domain ?
We list DNSBL services under smtpd_recipient_restrictions section
without destination domain (i.e. example.com). So i just need to list
them in the same manner but in a separate file. Could it be done somehow
? (not via access tables format probably)


On 28.04.2016 16:48, Wietse Venema wrote:

> ????? ?????:
>> Hello, Wietse.
>> Is there any documentation or configuration snippets regarding rbl and
>> database ?
> Documentation: man 5 access.
>
> Just use mysql:/etc/postfix/file instead of hash:/etc/postfix/file.
> Postfix makes the same queries whether you use hash/btree/lmdb or
> mysql/pgsql/ldap.
>
> /etc/postfix/main.cf:
>      smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/per_recipient_rules
> ...
>
> /etc/postfix/per_recipient_rules:
>      # most example.com recipients are RBL protected, some are not.
>      example.com reject_rbl_client zen.spamhaus.org, reject_rbl_client rbl.rbldns.ru, ...
>      [hidden email] dunno
>      ...
>
> Wietse
>
>> On 28.04.2016 13:28, Wietse Venema wrote:
>>> ????? ?????:
>>>> Hi, list !
>>>> I need to place rbl rules with domains in a separate file and connect it
>>>> to postfix via access map directive.
>>>>
>>>> Let's say something like this:
>>>>
>>>>> smtpd_recipient_restrictions =
>>>>>      permit_mynetworks
>>>>>      reject_unauth_destination
>>>>>      check_recipient_access hash:/etc/postfix/rbl_rules
>>>> /etc/postfix/rbl_rules :
>>>>> reject_rbl_client zen.spamhaus.org
>>>>> reject_rbl_client rbl.rbldns.ru
>>>>> reject_rbl_client b.barracudacentral.org
>>>>> reject_rbl_client dnsbl.sorbs.net
>>>>> reject_rbl_client bl.spamcop.net
>>>> I need it to be highly flexible. To let people in my network configure
>>>> DNSBL server list whenever they want.
>>>>
>>>> How can i do that ?
>>> Use an SQL database.
>>>
>>> Wietse
>>

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Wietse Venema
Wietse:

> Just use mysql:/etc/postfix/file instead of hash:/etc/postfix/file.
> Postfix makes the same queries whether you use hash/btree/lmdb or
> mysql/pgsql/ldap.
>
> /etc/postfix/main.cf:
>      smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/per_recipient_rules
> ...
>
> /etc/postfix/per_recipient_rules:
>      # most example.com recipients are RBL protected, some are not.
>      example.com reject_rbl_client zen.spamhaus.org, reject_rbl_client rbl.rbldns.ru, ...
>      [hidden email] dunno
>      ...

????? ?????:
> Ok, got it.
> But this way to place all DNSBL services to a separate file needs me to
> set a recipient domain that i protect with rbl_reject chekings (i.e.
> example.com).
> Is there a simpler way without setting a recipient domain ?

There is no support for main.cf to import arbitrary commands from
other files, as that would be a security hole.

The example requires one line per recipient domain. If you use a
real DBMS, then even that can be avoided.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

/dev/rob0
In reply to this post by Вадим Бажов
On Thu, Apr 28, 2016 at 07:00:40PM +0300, Вадим Бажов wrote:
> Ok, got it.
> But this way to place all DNSBL services to a separate file needs me to set
> a recipient domain that i protect with rbl_reject chekings (i.e.
> example.com).
> Is there a simpler way without setting a recipient domain ?
> We list DNSBL services under smtpd_recipient_restrictions section without
> destination domain (i.e. example.com). So i just need to list them in the
> same manner but in a separate file. Could it be done somehow ? (not via
> access tables format probably)

What I did was fairly similar to what you're describing, with
restriction classes and per-domain rules invoked via
check_recipient_access lookup.  The lookup checked the recipient
domain against an sqlite database which returns the name of that
domain's restriction class.

This approach does not scale well.  What you really want is to
develop and to deploy a custom policy service.  Perhaps one of the
existing policy service projects could be adapted to do this?

> >>On 28.04.2016 13:28, Wietse Venema wrote:
> >>>????? ?????:
> >>>>Hi, list !
> >>>>I need to place rbl rules with domains in a separate file and connect it
> >>>>to postfix via access map directive.
> >>>>
> >>>>Let's say something like this:
> >>>>
> >>>>>smtpd_recipient_restrictions =
> >>>>>     permit_mynetworks
> >>>>>     reject_unauth_destination
> >>>>>     check_recipient_access hash:/etc/postfix/rbl_rules
> >>>>/etc/postfix/rbl_rules :
> >>>>>reject_rbl_client zen.spamhaus.org
> >>>>>reject_rbl_client rbl.rbldns.ru
> >>>>>reject_rbl_client b.barracudacentral.org
> >>>>>reject_rbl_client dnsbl.sorbs.net
> >>>>>reject_rbl_client bl.spamcop.net
> >>>>I need it to be highly flexible. To let people in my network
> >>>>configure DNSBL server list whenever they want.

I'll say first: this is not a function I'd want to put in the hands
of people who don't know about email and spam.  My approach was to
give a domain owner/manager a general strategy to use, such as
"aggressive", "moderate", "conservative", or "permissive", and I
manage which DNSBLs are used within each strategy definition.

Too often here we see postmasters who use DNSBL services without
knowing their policies (or even if the service is still being
offered, in many cases!)  How can we expect end users to keep up with
these things?

Even my "permissive" level uses Zen.spamhaus.org, but that's the only
DNSBL, and DNS whitelists are used also.  And all of this is behind
the same postscreen, with a DNSBL scoring system.

> >>>>How can i do that ?
> >>>Use an SQL database.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
In reply to this post by Wietse Venema
After some testings it works as expected !
Thank you, Wietse !

On 28.04.2016 16:48, Wietse Venema wrote:

> ????? ?????:
>> Hello, Wietse.
>> Is there any documentation or configuration snippets regarding rbl and
>> database ?
> Documentation: man 5 access.
>
> Just use mysql:/etc/postfix/file instead of hash:/etc/postfix/file.
> Postfix makes the same queries whether you use hash/btree/lmdb or
> mysql/pgsql/ldap.
>
> /etc/postfix/main.cf:
>      smtpd_recipient_restrictions =
> permit_mynetworks
> reject_unauth_destination
> check_recipient_access hash:/etc/postfix/per_recipient_rules
> ...
>
> /etc/postfix/per_recipient_rules:
>      # most example.com recipients are RBL protected, some are not.
>      example.com reject_rbl_client zen.spamhaus.org, reject_rbl_client rbl.rbldns.ru, ...
>      [hidden email] dunno
>      ...
>
> Wietse
>
>> On 28.04.2016 13:28, Wietse Venema wrote:
>>> ????? ?????:
>>>> Hi, list !
>>>> I need to place rbl rules with domains in a separate file and connect it
>>>> to postfix via access map directive.
>>>>
>>>> Let's say something like this:
>>>>
>>>>> smtpd_recipient_restrictions =
>>>>>      permit_mynetworks
>>>>>      reject_unauth_destination
>>>>>      check_recipient_access hash:/etc/postfix/rbl_rules
>>>> /etc/postfix/rbl_rules :
>>>>> reject_rbl_client zen.spamhaus.org
>>>>> reject_rbl_client rbl.rbldns.ru
>>>>> reject_rbl_client b.barracudacentral.org
>>>>> reject_rbl_client dnsbl.sorbs.net
>>>>> reject_rbl_client bl.spamcop.net
>>>> I need it to be highly flexible. To let people in my network configure
>>>> DNSBL server list whenever they want.
>>>>
>>>> How can i do that ?
>>> Use an SQL database.
>>>
>>> Wietse
>>

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
Hi, foks !

I upgraded postfix to 3.1.1 and per-domain DNSBL checks in a separate
access map file got broken.

Only first dnsbl check per domain works. All others listed for domain
seems to be ignored.

I have following configuration working on postfix 2.6, broken up on
postfix 3.1:

master.cf:

> smtpd pass  -    -       n       - -       smtpd
>     ...
>     -o { smtpd_recipient_restrictions =
>         ...
>         check_sender_access,
>         hash:/etc/postfix/dnsbl_checks
>     }
>     ...
/etc/postfix/dnsbl_checks:

> open-talk.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
> reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net
> ideco-software.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
> reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net
Now, at postfix 3, only rbl.rbldns.ru checks applies to every
destination domain. Any other checks results are absent in logs.

I tried to debug what happens adding '-v' to smtpd service declaration
in master.cf but it didn't clarify me this check_sender_access process.


01.05.2016 22:55, Вадим Бажов пишет:

> After some testings it works as expected !
> Thank you, Wietse !
>
> On 28.04.2016 16:48, Wietse Venema wrote:
>> ????? ?????:
>>> Hello, Wietse.
>>> Is there any documentation or configuration snippets regarding rbl and
>>> database ?
>> Documentation: man 5 access.
>>
>> Just use mysql:/etc/postfix/file instead of hash:/etc/postfix/file.
>> Postfix makes the same queries whether you use hash/btree/lmdb or
>> mysql/pgsql/ldap.
>>
>> /etc/postfix/main.cf:
>>      smtpd_recipient_restrictions =
>>     permit_mynetworks
>>     reject_unauth_destination
>>     check_recipient_access hash:/etc/postfix/per_recipient_rules
>>     ...
>>
>> /etc/postfix/per_recipient_rules:
>>      # most example.com recipients are RBL protected, some are not.
>>      example.com    reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client rbl.rbldns.ru, ...
>>      [hidden email] dunno
>>      ...
>>
>>     Wietse
>>
>>> On 28.04.2016 13:28, Wietse Venema wrote:
>>>> ????? ?????:
>>>>> Hi, list !
>>>>> I need to place rbl rules with domains in a separate file and
>>>>> connect it
>>>>> to postfix via access map directive.
>>>>>
>>>>> Let's say something like this:
>>>>>
>>>>>> smtpd_recipient_restrictions =
>>>>>>      permit_mynetworks
>>>>>>      reject_unauth_destination
>>>>>>      check_recipient_access hash:/etc/postfix/rbl_rules
>>>>> /etc/postfix/rbl_rules :
>>>>>> reject_rbl_client zen.spamhaus.org
>>>>>> reject_rbl_client rbl.rbldns.ru
>>>>>> reject_rbl_client b.barracudacentral.org
>>>>>> reject_rbl_client dnsbl.sorbs.net
>>>>>> reject_rbl_client bl.spamcop.net
>>>>> I need it to be highly flexible. To let people in my network
>>>>> configure
>>>>> DNSBL server list whenever they want.
>>>>>
>>>>> How can i do that ?
>>>> Use an SQL database.
>>>>
>>>>     Wietse
>>>
>

--
С уважением,
Бажов Вадим,
Инженер отдела технической поддержки,
Компания «Айдеко»
--
Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85

Электронная почта:
Вопросы по приобретению: [hidden email]
Технические вопросы: [hidden email]

Сайт: http://ideco.ru
Форум: http://forum.ideco.ru

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Wietse Venema
> I have following configuration working on postfix 2.6, broken up on
> postfix 3.1:
>
> master.cf:
>
> > smtpd pass  -    -       n       - -       smtpd
> >     ...
> >     -o { smtpd_recipient_restrictions =
> >         ...

master.cf does not support "-o { name = value }" syntax before Postfix 3.0.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Wietse Venema
In reply to this post by Вадим Бажов
> >         check_sender_access,
> >         hash:/etc/postfix/dnsbl_checks
> >     ...
> /etc/postfix/dnsbl_checks:
>
> > open-talk.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client

That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru.
And it should warn that reject_rbl_client is not followed by a domain.

> > zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,

That does not work, because an address or domain does not end in ','.

> > reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net

That does nothing, because there is no domain called 'reject_rbl_client'.

You have the same problem with your ideco-software.ru rule.

If you want to have multi-line input, the second and later lines
must start with whitespace.

As written in the postmap manpage:

   o      A  logical  line  starts  with  non-whitespace text. A line that
          starts with whitespace continues a logical line.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
In reply to this post by Wietse Venema

Sorry, Wietse. In postfix 2.6 master.cf had old -o param = value syntax. U've updated it since I moved to postfix 3.

But access_map file with dnsbl checks wasn't changed by me since postfix 2.6 and has exatly same content.

As I guess, the trouble is around access_map file, because check_sender_access at master.cf triggers access_map checks fine. But the chain of dnsbl checks in access_map file works bad after.


26.10.2016 19:33, Wietse Venema пишет:
I have following configuration working on postfix 2.6, broken up on 
postfix 3.1:

master.cf:

smtpd pass  -    -       n       - -       smtpd
    ...
    -o { smtpd_recipient_restrictions =
        ...
master.cf does not support "-o { name = value }" syntax before Postfix 3.0.

	Wietse

-- 
С уважением,
Бажов Вадим,
Инженер отдела технической поддержки,
Компания «Айдеко»
--
Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85 

Электронная почта: 
Вопросы по приобретению: [hidden email]
Технические вопросы: [hidden email]

Сайт: http://ideco.ru
Форум: http://forum.ideco.ru

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
In reply to this post by Wietse Venema
> That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru
Actually reject_rbl_client rbl.rbldns.ru applies in fact. And it goes first.

Didn't get the proper syntax at all.

It was working at postfix 2.6. Every destination domain was checked
against every DNSBL domain in a chain.

Every destination domain is a logical line. Do you mean that I should
additionally unroll every logical line to multiline, like this ?:

> open-talk.ru reject_rbl_client rbl.rbldns.ru,
>  reject_rbl_client zen.spamhaus.org,
>  reject_rbl_client b.barracudacentral.org,
>  reject_rbl_client bl.spamcop.net,
>  reject_rbl_client ix.dnsbl.manitu.net
> ideco-software.ru reject_rbl_client rbl.rbldns.ru,
>  reject_rbl_client zen.spamhaus.org,
>  ...


26.10.2016 19:51, Wietse Venema пишет:

>>>          check_sender_access,
>>>          hash:/etc/postfix/dnsbl_checks
>>>      ...
>> /etc/postfix/dnsbl_checks:
>>
>>> open-talk.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client
> That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru.
> And it should warn that reject_rbl_client is not followed by a domain.
>
>>> zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
> That does not work, because an address or domain does not end in ','.
>
>>> reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net
> That does nothing, because there is no domain called 'reject_rbl_client'.
>
> You have the same problem with your ideco-software.ru rule.
>
> If you want to have multi-line input, the second and later lines
> must start with whitespace.
>
> As written in the postmap manpage:
>
>     o      A  logical  line  starts  with  non-whitespace text. A line that
>  starts with whitespace continues a logical line.
>
> Wietse

--
С уважением,
Бажов Вадим,
Инженер отдела технической поддержки,
Компания «Айдеко»
--
Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85

Электронная почта:
Вопросы по приобретению: [hidden email]
Технические вопросы: [hidden email]

Сайт: http://ideco.ru
Форум: http://forum.ideco.ru

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
In reply to this post by Wietse Venema
postmap doesn't give me any syntax-related warnings during compile a file :

> postmap -v /etc/postfix/dnsbl_checks
> postmap: name_mask: all
> postmap: inet_addr_local: configured 7 IPv4 addresses
> postmap: inet_addr_local: configured 4 IPv6 addresses
> postmap: open hash /etc/postfix/dnsbl_checks
> postmap: Compiled against Berkeley DB: 4.7.25?
> postmap: Run-time linked against Berkeley DB: 4.7.25?


26.10.2016 19:51, Wietse Venema пишет:

>>>          check_sender_access,
>>>          hash:/etc/postfix/dnsbl_checks
>>>      ...
>> /etc/postfix/dnsbl_checks:
>>
>>> open-talk.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client
> That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru.
> And it should warn that reject_rbl_client is not followed by a domain.
>
>>> zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
> That does not work, because an address or domain does not end in ','.
>
>>> reject_rbl_client bl.spamcop.net, reject_rbl_client ix.dnsbl.manitu.net
> That does nothing, because there is no domain called 'reject_rbl_client'.
>
> You have the same problem with your ideco-software.ru rule.
>
> If you want to have multi-line input, the second and later lines
> must start with whitespace.
>
> As written in the postmap manpage:
>
>     o      A  logical  line  starts  with  non-whitespace text. A line that
>  starts with whitespace continues a logical line.
>
> Wietse

--
С уважением,
Бажов Вадим,
Инженер отдела технической поддержки,
Компания «Айдеко»
--
Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85

Электронная почта:
Вопросы по приобретению: [hidden email]
Технические вопросы: [hidden email]

Сайт: http://ideco.ru
Форум: http://forum.ideco.ru

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Вадим Бажов
In reply to this post by Вадим Бажов
Ok, we deal with access map file. That's the manual:

http://www.postfix.org/access.5.html

And it says about logical lines and continuation lines and avaliable
lookup patterns and actions.

But I can't clearly get :

- How multiple actions (checks) works against one pattern technically
(multiple dnsbl chrcks against destionation domain in my case). What's
the mechanism of chaining multiple checks for one logical statement ?

- What's the proper syntax for multiple actions ? Can I separate them by
comma or space just in one line, or should I break them in a multiline
expression and how exactly ?


26.10.2016 20:13, Вадим Бажов пишет:

>> That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru
> Actually reject_rbl_client rbl.rbldns.ru applies in fact. And it goes
> first.
>
> Didn't get the proper syntax at all.
>
> It was working at postfix 2.6. Every destination domain was checked
> against every DNSBL domain in a chain.
>
> Every destination domain is a logical line. Do you mean that I should
> additionally unroll every logical line to multiline, like this ?:
>
>> open-talk.ru reject_rbl_client rbl.rbldns.ru,
>>  reject_rbl_client zen.spamhaus.org,
>>  reject_rbl_client b.barracudacentral.org,
>>  reject_rbl_client bl.spamcop.net,
>>  reject_rbl_client ix.dnsbl.manitu.net
>> ideco-software.ru reject_rbl_client rbl.rbldns.ru,
>>  reject_rbl_client zen.spamhaus.org,
>>  ...
>
>
> 26.10.2016 19:51, Wietse Venema пишет:
>>>>          check_sender_access,
>>>>          hash:/etc/postfix/dnsbl_checks
>>>>      ...
>>> /etc/postfix/dnsbl_checks:
>>>
>>>> open-talk.ru reject_rbl_client rbl.rbldns.ru, reject_rbl_client
>> That applies 'reject_rbl_client b.barracudacentral.org' to open-talk.ru.
>> And it should warn that reject_rbl_client is not followed by a domain.
>>
>>>> zen.spamhaus.org, reject_rbl_client b.barracudacentral.org,
>> That does not work, because an address or domain does not end in ','.
>>
>>>> reject_rbl_client bl.spamcop.net, reject_rbl_client
>>>> ix.dnsbl.manitu.net
>> That does nothing, because there is no domain called
>> 'reject_rbl_client'.
>>
>> You have the same problem with your ideco-software.ru rule.
>>
>> If you want to have multi-line input, the second and later lines
>> must start with whitespace.
>>
>> As written in the postmap manpage:
>>
>>     o      A  logical  line  starts  with  non-whitespace text. A
>> line that
>>       starts with whitespace continues a logical line.
>>
>>     Wietse
>

--
С уважением,
Бажов Вадим,
Инженер отдела технической поддержки,
Компания «Айдеко»
--
Телефоны: +7 (495) 987-32-70; +7 (495) 662-87-34 (тех. поддержка); +7 (343) 220-77-55; Факс: +7 (343) 220-77-85

Электронная почта:
Вопросы по приобретению: [hidden email]
Технические вопросы: [hidden email]

Сайт: http://ideco.ru
Форум: http://forum.ideco.ru

Reply | Threaded
Open this post in threaded view
|

Re: [MASSMAIL]Re: place reject_rbl_client rules in a separate file

Wietse Venema
> Ok, we deal with access map file. That's the manual:
>
> http://www.postfix.org/access.5.html
>
> And it says about logical lines and continuation lines and avaliable
> lookup patterns and actions.
>
> But I can't clearly get :
>
> - How multiple actions (checks) works against one pattern technically
> (multiple dnsbl chrcks against destionation domain in my case). What's
> the mechanism of chaining multiple checks for one logical statement ?

The mechanism is the same as smtpd_mumble_restrictions, because it
uses the same generic_checks() function as smtpd_mumble_restrictions.
This has not changed since before Postfix version 1, as anyone can
determine who can read C code.

        Wietse