temp avoiding RBL block with client_checks OK?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

temp avoiding RBL block with client_checks OK?

Voytek
one of the users is waiting for an email from server currently listed on
http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162

chances are it might get fixed in 12 hours, or, maybe not

short of removing dnsbl.manitu.net from my RBL checks, is there a way to
'bypass' this current predicament, and, allow mails from the IP/host?

can I simply put IP ? hostname ? both ? in /etc/postfix/client_checks ?

or is it /etc/postfix/sender_checks ? as so:

203.12.160.162 OK
mail12.tpgi.com.au OK


from main.cf:
--
smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 check_policy_service inet:127.0.0.1:7777,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/recipient_no_checks,
 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
 check_helo_access hash:/etc/postfix/helo_checks,
 check_sender_access hash:/etc/postfix/sender_checks,   <====??
 check_client_access hash:/etc/postfix/client_checks,   <=====??
 check_client_access pcre:/etc/postfix/client_checks.pcre,
 reject_rbl_client zen.spamhaus.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client ix.dnsbl.manitu.net,
 reject_rbl_client bl.spamcop.net,
 check_policy_service inet:127.0.0.1:10031


-----------
Feb 13 15:11:59 emu postfix/smtpd[12324]: NOQUEUE: reject: RCPT from
mail12.tpgi.com.au[203.12.160.162]: 554 5.7.1 Service unavailable; Client
host [203.12.160.162] blocked using ix.dnsbl.manitu.net; Your e-mail
service was detected by spam.over.port25.me (NiX Spam) as spamming at Tue,
13 Feb 2018 00:10:11 +0100. Your admin should visit
http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<mail12.tpgi.com.au>



Reply | Threaded
Open this post in threaded view
|

Re: temp avoiding RBL block with client_checks OK?

Dominic Raferd


On 13 February 2018 at 08:42, Voytek <[hidden email]> wrote:
one of the users is waiting for an email from server currently listed on
http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162

chances are it might get fixed in 12 hours, or, maybe not

short of removing dnsbl.manitu.net from my RBL checks, is there a way to
'bypass' this current predicament, and, allow mails from the IP/host?

can I simply put IP ? hostname ? both ? in /etc/postfix/client_checks ?

or is it /etc/postfix/sender_checks ? as so:

203.12.160.162 OK
mail12.tpgi.com.au OK


from main.cf:
--
smtpd_recipient_restrictions =
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 check_policy_service inet:127.0.0.1:7777,
 permit_mynetworks,
 check_sasl_access hash:/etc/postfix/sasl_access
 permit_sasl_authenticated,
 reject_unauth_destination,
 check_recipient_access hash:/etc/postfix/recipient_no_checks,
 check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
 check_helo_access hash:/etc/postfix/helo_checks,
 check_sender_access hash:/etc/postfix/sender_checks,   <====??
 check_client_access hash:/etc/postfix/client_checks,   <=====??
 check_client_access pcre:/etc/postfix/client_checks.pcre,
 reject_rbl_client zen.spamhaus.org,
 reject_rhsbl_client dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 reject_rbl_client psbl.surriel.com,
 reject_rbl_client ix.dnsbl.manitu.net,
 reject_rbl_client bl.spamcop.net,
 check_policy_service inet:127.0.0.1:10031


-----------
Feb 13 15:11:59 emu postfix/smtpd[12324]: NOQUEUE: reject: RCPT from
mail12.tpgi.com.au[203.12.160.162]: 554 5.7.1 Service unavailable; Client
host [203.12.160.162] blocked using ix.dnsbl.manitu.net; Your e-mail
service was detected by spam.over.port25.me (NiX Spam) as spamming at Tue,
13 Feb 2018 00:10:11 +0100. Your admin should visit
http://www.dnsbl.manitu.net/lookup.php?value=203.12.160.162;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<
​​
mail12
​​
.tpgi.com.au
>

For use within restriction list(s):
check_client_access is for checking the purported address, or the ip, of the incoming connecting client
check_sender_access is for checking the MAILFROM address (envelope sender)
check_helo_access is for checking the HELO/EHLO response name

For use outside restriction list(s): (hence later/slower)
header_checks can be used for checking email headers - including the 'From:' header address (which may well be different to the MAILFROM address).

In your case you can put either the ip or the client address onto a new line in the file referenced by check_client_access, followed by ' OK', and then postmap it afterwards. You might want to add ​tpgi.com.au rather than ​mail12​​.tpgi.com.au (assuming smtpd_access_maps  is  listed  in parent_domain_matches_subdomains, which is the default case).

Yes it is a little confusing at first...
Reply | Threaded
Open this post in threaded view
|

Re: temp avoiding RBL block with client_checks OK?

Voytek
On Tue, February 13, 2018 9:18 pm, Dominic Raferd wrote:
> On 13 February 2018 at 08:42, Voytek <[hidden email]> wrote:

>
> For use within restriction list(s):
> check_client_access is for checking the purported address, or the ip, of
> the incoming connecting client check_sender_access is for checking the
> MAILFROM address (envelope sender)
> check_helo_access is for checking the HELO/EHLO response name
>
> For use outside restriction list(s): (hence later/slower)
> header_checks can be used for checking email headers - including the
> 'From:' header address (which may well be different to the MAILFROM
> address).
>
> In your case you can put either the ip or the client address onto a new
> line in the file referenced by check_client_access, followed by ' OK', and
>  then postmap it afterwards. You might want to add ​tpgi.com.au rather
> than ​mail12​​.tpgi.com.au (assuming smtpd_access_maps  is  listed  in
> parent_domain_matches_subdomains, which is the default case).
>
> Yes it is a little confusing at first...

Dominic,

thanks both for confirming as well as explaining the details, much
appreciated

also, forgot to ask, is there some command to test such change to confirm ?

V


Reply | Threaded
Open this post in threaded view
|

Re: temp avoiding RBL block with client_checks OK?

Dominic Raferd
On 13 February 2018 at 11:43, Voytek <[hidden email]> wrote:
>
> On Tue, February 13, 2018 9:18 pm, Dominic Raferd wrote:
> > In your case you can put either the ip or the client address onto a new
> > line in the file referenced by check_client_access, followed by ' OK', and
> >  then postmap it afterwards.
> ..
> forgot to ask, is there some command to test such change to confirm ?

If there is something wrong you will see the error when you do:
postmap hash:/etc/postfix/client_checks

For failsafe, make changes to a copy of client_checks in another
location and then postmap this, if no error then copy the amended
client_checks file into /etc/postfix and postmap there.

The changes will be implemented in active postfix pretty quickly after
postmap, but to force immediately do:
postfix reload