On Wed, Apr 24, 2013 at 3:15 PM, /dev/rob0 <r...@gmx.co.uk> wrote:
> True, but for all we know they could be preceded by a
> check_policy_service or permit_dnswl_client restriction.
>
Well, in this case they're not (yet?) preceded by any of those... but I'm
learning more and more with every piece of this discussion, and now want to
play around with putting "permit_dnswl_client
list.dnswl.org=127.0.[0..255].[1..3]"
somewhere in there.
Again, can't say. I'd have the Zen higher, before most whitelisting,
>
but yes, BRBL belongs down there at the end.
>
Assuming I do want put them back in, and try out permit_dnswl_client entry
(only for low, medium, and high), how high up my
smtpd_recipient_restrictions food chain should the Zen and
permit_dnswl_client entries be (realizing the Zen reject should be above
the dnswl permit)?
Here are my current entries:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_destination,
warn_if_reject reject_non_fqdn_hostname,
warn_if_reject reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
warn_if_reject reject_unknown_reverse_client_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
warn_if_reject reject_unknown_helo_hostname,
reject_unauth_pipelining,
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
check_helo_access hash:/etc/postfix/helo_access,
check_sender_access hash:/etc/postfix/check_backscatterer,
check_sender_access hash:/etc/postfix/access,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
permit
My guess would be to either put them just after the
reject_unknown_sender_domain or just before the
check_reverse_client_hostname... but that's a total guess. The BRBL entry
I'd stick back just in front of the reject_rhsbl_client entry.
SteveJ
