Here's a related recent thread http://postfix.1071664.n5.nabble.com/postscreen-dnsbl-AND-smtpd-recipient-restrictions-rbl-tt91307.html#none
>-----Original Message----- >From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] >On Behalf Of Alex >Sent: Tuesday, August 01, 2017 3:58 PM >To: postfix users list >Subject: Postscreen and reject_rhsbl > >Hi, >I'm using postfix-3.1.4 on fedora. I've just noticed I've configured >both postscreen to use spamhaus and other RBLs as well as have >configured the reject_rhsbl_* options. Is this duplicative and >unnecessary? > >I've posted what I think are the relevant pieces in hopes someone >could review and clarify. > >smtpd_recipient_restrictions = > reject_non_fqdn_recipient, > reject_non_fqdn_sender, > reject_unlisted_recipient, > reject_unknown_recipient_domain, > permit_mynetworks, > reject_unauth_destination, > reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, > reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, > reject_rhsbl_helo mykey.dbl.dq.spamhaus.net, > check_sender_access hash:/etc/postfix/check_backscatterer, > check_helo_access pcre:/etc/postfix/helo_checks.pcre, > check_helo_access hash:/etc/postfix/helo_checks, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > check_policy_service unix:private/policy-spf, > check_policy_service inet:127.0.0.1:2501, > check_recipient_access pcre:/etc/postfix/relay_recips_access, > permit > >smtpd_client_restrictions = > permit_mynetworks, > check_client_access hash:/etc/postfix/client_checks, > check_reverse_client_hostname_access >pcre:/etc/postfix/fqrdns-042715a.pcre, > check_reverse_client_hostname_access >pcre:/etc/postfix/reverse_client_hostname_access.pcre, > check_client_access cidr:/etc/postfix/client_access_blocklist > check_client_access cidr:/etc/postfix/ransomware-ipbl > > >postscreen_dnsbl_ttl = 10m >postscreen_access_list = > permit_mynetworks, > cidr:/etc/postfix/postscreen_access.cidr, > cidr:/etc/postfix/gmail_whitelist.cidr, > cidr:/etc/postfix/postscreen_spf_whitelist.cidr >postscreen_blacklist_action = drop >postscreen_dnsbl_action = enforce >postscreen_greet_action = enforce >postscreen_greet_wait = ${stress?2}${stress:11}s >postscreen_dnsbl_threshold = 8 >postscreen_dnsbl_reply_map = > texthash:$config_directory/postscreen_dnsbl_reply_map.pcre >postscreen_dnsbl_sites = > mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 > score.senderscore.com=127.0.4.[0..19]*3 > score.senderscore.com=127.0.4.[20..29]*3 > score.senderscore.com=127.0.4.[30..49]*2 > score.senderscore.com=127.0.4.[50..59]*1 > score.senderscore.com=127.0.4.[60..69]*1 > score.senderscore.com=127.0.4.[70..79]*-1 > score.senderscore.com=127.0.4.[80..89]*-2 > score.senderscore.com=127.0.4.[90..100]*-4 > b.barracudacentral.org*7 > mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6 > bl.mailspike.net*4 > bl.spamcop.net*4 > bl.spameatingmonkey.net*4 > mykey.zen.dq.spamhaus.net=127.0.0.3*4 > ubl.unsubscore.com=127.0.0.2*1 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > dnsbl.sorbs.net=127.0.0.[10;14]*8 > dnsbl.sorbs.net=127.0.0.5*7 > dnsbl.sorbs.net=127.0.0.7*4 > dnsbl.sorbs.net=127.0.0.6*3 > dnsbl.sorbs.net=127.0.0.[8;9]*2 > dnsbl.sorbs.net=127.0.0.4*1