LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-09-2008, 05:14 PM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Rep: Reputation: 73
Mail Server Refusing Email Due to Sorbs


On my email server <example.com> I have have the following:

Code:
smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_unauth_destination,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unlisted_recipient,        reject_unlisted_sender,        reject_invalid_hostname,        reject_non_fqdn_hostname,        reject_rbl_client zen.spamhaus.org,        reject_rbl_client bl.spamcop.net,        reject_rbl_client safe.dnsbl.sorbs.net,        reject_invalid_hostname,        reject_non_fqdn_hostname
As you can see from above, we check all email against Sorbs. According to my logs, I see the following:

Code:
Oct  9 17:45:56 mail postfix/smtpd[4857]: NOQUEUE: reject: RCPT from mailgw2a.lmco.com[192.91.147.7]: 554 5.7.1 Service unavailable; Client host [192.91.147.7] blocked using safe.dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?192.91.147.7; from=<xxx@lmco.com> to=<xxx@example.com> proto=ESMTP helo=<mailgw2a.lmco.com>
Now this is a huge problem because LMCO domain is a direct contractor we deal with. My question is should I first be using "Sorbs" on my Postfix mail config? Is Sorbs a reliable / dependable database I should be using? Next question is whos problem/responsibility is this? I would assume this is the administrator for LMCO to get removed from the blacklist, right? Lastly, can I and do you recommend in the meantime, I simply "whitelist" mail from this domain? I trust them and know they're not spammers and it is critical we be able to communicate with them.

Thanks for any help and or info!
 
Old 10-09-2008, 05:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,456
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
If they got blacklisted I'd say let *them* handle it: don't make their problem yours.
 
Old 10-09-2008, 08:42 PM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Read

man 5 access

Basically you should be able to add

check_sender_access hash:/etc/postfix/sender_access

in smtpd_sender_restrictions

and have an entry along the lines of

@lmco.com OK

in sender_access
 
Old 10-10-2008, 02:56 AM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Placing an OK in smtpd_sender_restrictions will not bypass subsequent smtpd_*_checks.

Whitelist the client(s) using a check_client_access instead of check_sender_access, as it was the client that was blacklisted, and a sender is trivially forged.

Place the check_client_access immediately before your RBL check that is causing trouble in the same access list,
but under no circumstances place this list containing OKs before reject_unauth_destination.

Instead of OK, use permit_auth_destination instead for safety.
 
Old 10-10-2008, 02:58 AM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I knew I'd get the wrong restriction. Not something I use a lot.
 
Old 10-10-2008, 03:18 AM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
For the OP, think of the smtpd_*_restrictions as chains, like iptables.
Each chain is traversed, but can be short-circuited.
But all the chains are traversed in the sequence that matches the SMTP dialog.
 
Old 10-10-2008, 07:25 AM   #7
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by Mr. C. View Post
Whitelist the client(s) using a check_client_access instead of check_sender_access, as it was the client that was blacklisted, and a sender is trivially forged.
So in my 'main.cf' I would have something that looks like the following?

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unlisted_sender,
reject_invalid_hostname,
reject_non_fqdn_hostname,
check_client_access hash:client_access
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client safe.dnsbl.sorbs.net,
reject_invalid_hostname,
reject_non_fqdn_hostname

Quote:
Originally Posted by Mr. C. View Post
Place the check_client_access immediately before your RBL check that is causing trouble in the same access list,
but under no circumstances place this list containing OKs before reject_unauth_destination.
If I have it correct above, it appears right before my RBL checks and way after 'reject_unauth_destination'.

I am guessing it is safe to check against 'safe.dnsbl.sorbs.net' since nobody advised I remove that from my checks or main.cf, right?
 
Old 10-10-2008, 02:24 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
That's correct, or you can move it just above the one problematic check, allowing other RBLs to act. Its your call.

You'll have to make your own judgment about how safe an RBL is for your mail customers and patterns.
If you are unsure, place "warn_if_reject" before any check and Postfix will add "warn:" log entries
indicating what would have occurred. This way, you can safely evaluate various rules and restrictions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
command line email client to send mail to remote mail server dhanju Linux - Software 1 03-07-2008 06:37 AM
qmail - mail server refusing connections? shadoxity Linux - Software 1 04-06-2005 03:41 AM
email server won't POP mail... cadkins Linux - Newbie 7 11-02-2004 06:43 PM
how to email log w/o mail server? ziggie216 Linux - Software 1 07-28-2004 06:07 PM
Router hangs due to Linux7.1 domino mail server chandra Linux - Newbie 0 06-20-2002 05:00 AM


All times are GMT -5. The time now is 05:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration