Добрый день.
FreeBSD 5.3-RELEASE, Postfix 2.2
не могу организовать белый список, всё равно режет по RBL записям. Что поправить? Подскажите, плз.
#/>cat main.cf
.....
readme_directory = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname,
smtpd_delay_reject=yes
smtpd_sender_restrictions =
check_sender_access hash:/usr/local/etc/postfix/maps/access1,
check_client_access hash:/usr/local/etc/postfix/maps/access,
reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender blackhole.securitysage.comsmtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions =
check_client_access hash:/usr/local/etc/postfix/maps/access,
check_sender_access hash:/usr/local/etc/postfix/maps/access1,
reject_rhsbl_client blackhole.securitysage.comsmtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access hash:/usr/local/etc/postfix/maps/access,
check_sender_access hash:/usr/local/etc/postfix/maps/access1,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
....
#/> cat /usr/local/etc/postfix/maps/access
.domain.ru OK
*.domain.ru OK
#/> cat /usr/local/etc/postfix/maps/access1
.domain.ru OK
*.domain.ru OK
#/> cat /var/log/maillog
....
Sep 11 11:06:36 rosserv postfix/smtpd[61417]: connect from xxx.domain.ru[xxx.xxx.xxx.xxx]
Sep 11 11:06:39 rosserv postfix/smtpd[61417]: NOQUEUE: reject: RCPT from xxx.domain.ru[xxx.xxx.xxx.xxx]: 554 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using sbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=xxxxxx; from=<xxx.domain.ru> to=<xxx@rosserv.ru> proto=ESMTP helo=<xxx.domain.ru>
Sep 11 11:06:39 rosserv postfix/smtpd[61417]: disconnect from xxx.domain.ru[xxx.xxx.xxx.xxx]
....
Наверное потому, что client_restrictions проверяется раньше чем sender_restrictions.
Т.е. надо каким-то образом объяснить постфиксу, что не надо сразу обламывать клиента, а подождать MAIL FROM (если это вообще возможно).
>Добрый день.
>FreeBSD 5.3-RELEASE, Postfix 2.2
>не могу организовать белый список, всё равно режет по RBL записям. Что
>поправить? Подскажите, плз.
>#/>cat main.cf
>.....
>readme_directory = no
>smtpd_helo_required = yes
>smtpd_helo_restrictions = reject_invalid_hostname,
>smtpd_delay_reject=yes
>smtpd_sender_restrictions =
> check_sender_access hash:/usr/local/etc/postfix/maps/access1,
> check_client_access hash:/usr/local/etc/postfix/maps/access,
> reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rhsbl_sender blackhole.securitysage.com
>
>smtpd_data_restrictions = reject_unauth_pipelining
>smtpd_client_restrictions =
> check_client_access hash:/usr/local/etc/postfix/maps/access,
> check_sender_access hash:/usr/local/etc/postfix/maps/access1,
> reject_rhsbl_client blackhole.securitysage.com
>
>smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
> check_client_access hash:/usr/local/etc/postfix/maps/access,
> check_sender_access hash:/usr/local/etc/postfix/maps/access1,
> reject_unauth_destination,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client proxies.blackholes.wirehub.net,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client multihop.dsbl.org,
>....
>#/> cat /usr/local/etc/postfix/maps/access
>.domain.ru OK
>*.domain.ru OK
>#/> cat /usr/local/etc/postfix/maps/access1
>.domain.ru OK
>*.domain.ru OK
>#/> cat /var/log/maillog
>....
>Sep 11 11:06:36 rosserv postfix/smtpd[61417]: connect from xxx.domain.ru[xxx.xxx.xxx.xxx]
>Sep 11 11:06:39 rosserv postfix/smtpd[61417]: NOQUEUE: reject: RCPT from xxx.domain.ru[xxx.xxx.xxx.xxx]: 554 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using sbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=xxxxxx; from=<xxx.domain.ru> to=<xxx@rosserv.ru> proto=ESMTP helo=<xxx.domain.ru>
>Sep 11 11:06:39 rosserv postfix/smtpd[61417]: disconnect from xxx.domain.ru[xxx.xxx.xxx.xxx]
>....В /usr/local/etc/postfix/maps/access должны быть записи типа
xxx.xxx.xxx.xxx OK
Т.е. ip адреса.
>В /usr/local/etc/postfix/maps/access должны быть записи типа
>
>xxx.xxx.xxx.xxx OK
>
>Т.е. ip адреса.Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details.
>smtpd_client_restrictions =
> check_client_access hash:/usr/local/etc/postfix/maps/access,
> check_sender_access hash:/usr/local/etc/postfix/maps/access1,
А вот это ^^^^^^^^ (check_sender_access) здесь не надо. Здесь проверяется адрес с которого к тебе приконектились.
check_sender_access проверяется в smtpd_sender_restrictions, после получения строчки MAIL FROM
Т.е. таким образом нельзя пропускать почту с известных адресов из заблокированых сетей/адресов.
Не проще будет убрать rbl нафик и добавить permit_sasl_authenticated?
a postmap для этих файлов делался?
hash:/usr/local/etc/postfix/maps/access,
check_sender_access hash:/usr/local/etc/postfix/maps/access1
> check_sender_access hash:/usr/local/etc/postfix/maps/access1,
> reject_rhsbl_client blackhole.securitysage.com
^^^^^^^^^^^
Лучше это делать в smtpd_sender_restrictions.
Спасибо за подсказки.
Изменил слегка конфиг. Добавил в фаил access ip-адреса нужных хостов (postmap запустил)
Всё равно режет.
#>cat maillog
...
Sep 18 11:32:59 rosserv postfix/smtpd[26488]: connect from domain.ru[xxx.xxx.xxx.xxx]
Sep 18 11:33:05 rosserv postfix/smtpd[26488]: NOQUEUE: reject: CONNECT from domain.ru[xxx.xxx.xxx.xxx]: 554 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using sbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=xxxxxxx; proto=SMTP
Sep 18 11:33:13 rosserv postfix/smtpd[26488]: disconnect from domain.ru[xxx.xxx.xxx.xxx]
...
По идее после выполнения правила в группе письмо больше не обрабатывается.
Почему может не работать?
#>cat main.cf
...
smtpd_helo_required = yes
smtpd_delay_reject=no
# 1
smtpd_client_restrictions =
check_sender_access hash:/usr/local/etc/postfix/maps/access,
reject_rhsbl_client blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org# 2
smtpd_helo_restrictions = check_helo_access hash:/usr/local/etc/postfix/maps/access,
reject_invalid_hostname
# 4
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_rhsbl_sender blackhole.securitysage.com
# 5
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain
# 6
smtpd_data_restrictions = reject_unauth_pipelining...
>...
>smtpd_helo_required = yes
>smtpd_delay_reject=no
># 1
>smtpd_client_restrictions =
> check_sender_access hash:/usr/local/etc/postfix/maps/access,
> reject_rhsbl_client blackhole.securitysage.com,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client proxies.blackholes.wirehub.net,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client multihop.dsbl.org
Всё заработало. Описался! в разделе smtpd_client_restrictions ставится правило check_client_access, а не check_sender_accessВот хорошая статья на эту тему:
http://www.postfix.ru/viewtopic.php?p=3109#3109