Thanks John! You nailed it, made the two changes you suggested, and it is now blocking, client will be happy,
On Sun, Jul 7, 2024 at 8:52 PM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: > On 07/07/2024 06:18, Nick Edwards via Postfix-users wrote: > > Howdy, > > I've never seen the point in this before, but i've been asked by a client > to implement it if possible, that is, place dnsbl checks on submission and > smtps connections, I've tried a few combinations but it does not seem to be > working, no doubt someone can see the error and slap me a new one for > overlooking the obvious on a Sunday. > > Master: > smtps inet n - n - - smtpd > -o smtpd_client_restrictions=$submission_client_restrictions > -o smtpd_recipient_restrictions=$submission_recipient_restrictions > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o receive_override_options=no_header_body_checks > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_data_restrictions= > -o smtpd_client_connection_rate_limit=1000 > -o content_filter= > > submission inet n - n - - smtpd > -o smtpd_client_restrictions=$submission_client_restrictions > -o smtpd_recipient_restrictions=$submission_recipient_restrictions > -o smtpd_sasl_auth_enable=yes > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_data_restrictions= > -o receive_override_options=no_header_body_checks > -o mynetworks=127.0.0.0/8,[::1]/128 <http://127.0.0.0/8,%5B::1%5D/128> > -o content_filter= > -o smtpd_client_connection_rate_limit=1000 > -o anvil_rate_time_unit=3600 > > Main: > submission_recipient_restrictions = > reject_rbl_client cbl.abuseat.org=127.0.0.[2..255] > reject_unknown_sender_domain > reject_unknown_recipient_domain > permit_mynetworks > permit_sasl_authenticated > reject > > I've tried reordering a few of these but no go, tcpdump does not show any > attempts to the BL, the clients are definitely coming in on port 587 and > 465, we don't allow smtp auth on 25 (tested), and the > smtpd_recipient_restrictions = contains same BL and > > Open to suggestions, > Thanks > Nik > > Hi Nik > > people have posted some working configurations that are in the list > archives so might be useful to look up. > > But I can see some potential points to address. I would recommend adding > -o smtpd_delay_reject=no to the master.cf configuration. Most people use > the default yes, since it delays evaluating client/helo/sender restriction > until the RCPT TO stage of the mail transaction and so rejects can log more > info. Blocking submission like you're client wants will not work with > smtpd_delay_reject = yes. You'll also need to put the rbl check in the > smtpd_client_restrictions (so in submission_client_restrictions in your > case). With those two modification the evaluation of the rbl disconnection > will happen upon client connection. > > I haven't personally used the $ syntax you're using so I can't say much > about it, and the following comment may not be totally relevant, but just > in case I'll mention that in my configuration I have no $ in front of my > restriction classes. As mentioned by Allen in that case you'll need to use > the smtpd_restriction_classes configuration to tell postfix which custom > restriction classes you're defining. > John > > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
