I have the following:
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_invalid_hostname,
permit_mynetworks,
check_client_access hash:$config_directory/pbs,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_sender,
check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit
check_helo_access pcre:$config_directory/helo_checks.pcre,
check_sender_access pcre:$config_directory/sender_access.pcre,
check_client_access pcre:$config_directory/check_client_fqdn.pcre,
check_recipient_access pcre:$config_directory/recipient_checks.pcre,
check_client_access hash:$config_directory/access,
reject_rbl_client zen.spamhaus.org
permit
helo_checks.pcre:
/(dsl|pool|dynamic|user|hsd|dyn|dial)/ WARN helo Dynamic addresses not
allowed
and the following in the logs:
Dec 23 00:17:59 mail postfix/smtpd[81378]: connect from
c-12-34-56-789.comcast.net[12.34.56.789]
Dec 23 00:17:59 mail postgrey[937]: action=greylist, reason=new,
client_name=c-12-34-56-789.hsd1.co.comcast.net,
client_address=12.34.56.789, sender=*mung...@*munged*.com,
recipient=fam...@*munged*.com
Dec 23 00:18:00 mail postfix/smtpd[81378]: NOQUEUE: reject: RCPT from
c-12-34-56-789..comcast.net[12.34.56.789]: 554 5.7.1 Service
unavailable; Client host [12.34.56.789] blocked using
zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=12.34.56.789;
from=<*mung...@*munged*.com> to=<fam...@*munged*.com> proto=ESMTP
helo=<cerebus.hsd1.co.comcast.net>
But checking the pbs database with pop-before-smtp --list the IP
address is listed. (pbs is the pop-before-smtp database).
After the greylisting period expires, then the message goes through,
but the greylist check is way down in check_client_fqdn.pcre so it
seems the message should be getting a pass on the pbs long before it
gets to the check_greylist in the pcre. The pbs info should not be
expiring as I check mail every 5-10 minutes, so my IP should always be
'fresh'.
I do have a pop-before-smtp.log, but it was not actually logging
(fixed now).
(The listing in zen is correct, as I am in a dynamic comcast pool. The
IP never changes, but I do not add myself to $mynetworks specifically
to keep track of this kind of stuff.
So, is the smtpd_restriction_class somehow applying to ALL
connections, even those that should be passing, say, permit_mynetworks
or permit_sasl_authenticated?
Or am I missing something else?
--
You think you can catch Keyser Soze? You think a guy like that
comes this close to getting caught, and sticks his head out? If
he comes up for anything it'll be to get rid of me. After that
my guess is you'll never hear from him again.
