Postfix+rbl restrictions-postmaster/abuse not getting complaints

Carl Filby · 09-06-2008, 12:18 PM

running postfix on debian etch. I want postmaster or at least abuse account to be able to receive emails regarding false postive claims from rbls.
current main.cf:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/cbl_exceptions
reject_rbl_client cbl.abuseat.org,
reject_rbl_client korea.blackholes.us,
reject_rbl_client russia.blackholes.us,
reject_rbl_client china.blackholes.us,
reject_rbl_client taiwan.blackholes.us,
reject_rbl_client nigeria.blackholes.us,
reject_rbl_client argentina.blackholes.us,
reject_rbl_client brazil.blackholes.us,
reject_rbl_client thailand.blackholes.us,
reject_rbl_client bl.spamcop.net
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/helo_client_exceptions
reject_invalid_helo_hostname,
warn_if_reject,
reject_non_fqdn_helo_hostname,
warn_if_reject,
reject_unknown_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
permit_mynetworks,
check_recipient_access hash:/etc/postfix/postmaster,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_recipient_domain,
permit
______________________________________________________
contents of /etc/postfix/postmaster:
postmaster@ OK
abuse@ OK
______________________________________________
How do I insure abuse account can be emailed if sender gets blocked?

Berhanie · 09-06-2008, 06:36 PM

What are "false postie claims"?

Carl Filby · 09-06-2008, 07:25 PM

Quote:

Originally Posted by Berhanie

What are "false postie claims"?

forgive the ONE letter slip

Berhanie · 09-06-2008, 09:57 PM

Ah! False positive! Got it. Ok, so what you might mean is that you sometimes get an unintended answer to an RBL query; perhaps your ISP gets involved and tries to be "helpful" by converting an empty DNS response to a pointer to one of their web servers, in effect giving a false positive. If this is your concern, here is something you can do. RBLs -- at least the ones I use -- publish a list of their possible responses, and what they mean. For example, Spamhaus' is here. So, if I were looking up an IP address on zen.spamhaus.org, I expect an answer in the range 127.0.0.2 - 127.0.0.11. You can test this by doing the lookup manually. To see whether the IP address a.b.c.d has an A-record with zen.spamhaus.org, execute

Code:

dig d.c.b.a.zen.spamhaus.org

If you're querying your ISP's DNS servers, you might get a (false positive) response, but it will not be in the expected range. Now, to tell postfix about the list of possible answers, you would put the following in main.cf:

Code:

smtpd_client_restrictions =
  ...
  reject_rbl_client zen.spamhaus.org=127.0.0.2
  reject_rbl_client zen.spamhaus.org=127.0.0.3
  ...
  reject_rbl_client zen.spamhaus.org=127.0.0.11

Carl Filby · 09-06-2008, 10:09 PM

No but thx for the information
I want someone that has had their email blocked be able to email abuse@mydomain.com.

Berhanie · 09-06-2008, 10:15 PM

Ah, sorry. I read your post again (did you change it from the first time?). Ok, so you have to whitelist the recipient (abuse) before acting on the rbl checks. You can do that by putting all restriction lists under smtpd_recpient_restrictions.

Carl Filby · 09-06-2008, 10:30 PM

Moved the restrictions as suggested. Time will tell. Thank you

Berhanie · 09-07-2008, 12:29 AM

You're welcome. The point is that you need to have a rule to whitelist the abuse recipient early on, so it won't be subjected to any of the other access restrictions.