On January 12, 2010 2:49:32 PM -0600 "/dev/rob0" <r...@gmx.co.uk> wrote:
On Tue, Jan 12, 2010 at 03:02:37PM -0500, Frank Cusack wrote:
My postfix-2.6.5 is rejecting mail from a host which has a large
Not according to what we see below. "Lost connection" does not mean
you rejected them.
Quite. That should have been obvious to me but I guess not!
smtpd_data_restrictions = reject_multi_recipient_bounce permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_unauth_pipelining reject_invalid_helo_hostname
reject_unauth_pipelining won't work here, only in
smtpd_data_restrictions
reject_unauth_pipelining
Reject the request when the client sends SMTP commands ahead of time
where it is not allowed, or when the client sends SMTP commands ahead
of time without knowing that Postfix actually supports ESMTP command
pipelining. This stops mail from bulk mail software that improperly
uses ESMTP command pipelining in order to speed up deliveries.
With Postfix 2.6 and later, the SMTP server sets a per-session flag
whenever it detects illegal pipelining, including pipelined EHLO or
HELO commands. The reject_unauth_pipelining feature simply tests
whether the flag was set at any point in time during the session.
With older Postfix versions, reject_unauth_pipelining checks
the current status of the input read queue, and its usage is not
recommended in contexts other than smtpd_data_restrictions.
I especially point you to the last paragraph.
The reference to EHLO/HELO, and the reference to support in older versions
hints to me it should be in the helo section? Not correct?
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
check_sender_access dbm:/etc/postfix/sender_access
check_sender_access looks up the MAIL FROM address (or the domain, or
the localpart), see SMTPD_ACCESS_README.html and access.5.html for
details.
Yeah, I knew that. :) I guess it was stupid to try whitelisting them
at that point.
reject_unauth_destination reject_non_fqdn_hostname
reject_invalid_hostname check_sender_mx_access
cidr:/etc/postfix/bogus_mx reject_rhsbl_sender
dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org
reject_rhsbl_sender zen.spamhaus.org
reject_rhsbl_sender bl.spamcop.net permit
Zen and spamcop are not RHSBL services. You're bugging them with
queries that will never match anything. I would suggest that you
consider "reject_rbl_client zen.spamhaus.org", however.
Thanks, I never would have realized that.
-frank
