Hi, >> I haven't been able to find much available on the proper use for >> smtpd_mumble_restrictions. It doesn't seem to be documented with >> postscreen or the postconf page or even my postconf output. > > smtpd_mumble_restrictions is shorthand for "use any of > smtpd_{client, helo, sender, recipient, data, > end_of_data}_restrictions."
Okay, duh. Maybe it never occurred to me because I thought postscreen was well before any of the smtpd restrictions. > I'm curious what postscreen rules you're using that are rejecting > mail from an ISP. (I'm not familiar with the two you mention, and > assume they aren't spammer-haven worthy of global blocking.) Perhaps many of the rejects from users at those domains are really just spoofed. Here's one reject actually from them, however: Dec 24 04:23:11 mail02 postfix/postscreen[1468]: NOQUEUE: reject: RCPT from [212.52.84.101]:54948: 550 5.7.1 Service unavailable; client [212.52.84.101] blocked using bl.spamcop.net; from=<rossopompei...@libero.it>, to=<mi...@example.com>, proto=ESMTP, helo=<outrelay01.libero.it> My postscreen config contains: postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_dnsbl_threshold = 1 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_blacklist_action = enforce postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2 bl.spamcop.net*1 b.barracudacentral.org*1 psbl.surriel.com*1 I have a series of IPs in the postscreen_access.cidr file that need to be permitted, and add to it after we learn mail is being rejected due to the IP being blacklisted by one of the RBLs. >> I also understand that organizations use separate IPs from those >> listed in their MX records -- that was my point. I have no way of >> knowing what those IPs are, except through trial and error, looking >> through logs and correlating them with addresses, etc. > > Perhaps they publish SPF records, which were invented for this purpose. > $ host -t txt libero.it > libero.it descriptive text "v=spf1 ip4:212.52.84.101/32 > ip4:212.52.84.102/31 ip4:212.52.84.104/29 ip4:212.52.84.112/29 > ip4:212.52.84.192/32 ip4:212.52.84.43/32 include:blackberry.com ?all" Ah, yes. That's still something like 20 IPs. I would assume none of the blackberry.com IPs would ever be rejected by postscreen, so they don't need to be added. I can then just add the single email address to the whitelist_from_spf in spamassassin. For alice.it, they don't appear to publish an SPF record, but instead some kind of google key? alice.it. 19028 IN TXT "google-site-verification=fmPX0ewWZ5WfhZ80tP8h-cQb2p0L_KCixRm_UHyK-bw" Dec 24 08:00:46 mail01 postfix/postscreen[24923]: NOQUEUE: reject: RCPT from [82.57.200.119]:48396: 550 5.7.1 Service unavailable; client [82.57.200.119] blocked using bl.spamcop.net; from=<u...@alice.it>, to=<massimo.ari...@example.com>, proto=ESMTP, helo=<smtp303.alice.it> We have several IPs from the alice.it domain that appear to be not blacklisted, including 82.57.200.104. Thanks, Alex