On Sat, May 07, 2022 at 02:55:36PM -0400, Alex wrote:
> It appears that entries included in my postscreen_access_list are
> being used to also bypass SPF checks by policyd-spf. Is this
> intentional? Would someone explain to me how this works?
This is not possible. Postscreen(8) jus
Hi,
It appears that entries included in my postscreen_access_list are
being used to also bypass SPF checks by policyd-spf. Is this
intentional? Would someone explain to me how this works?
smtpd_recipient_restrictions =
...
check_policy_service unix:private/policy-spf
On 27.11.18 21:48, John Fawcett wrote:
The reason the ip changes frequently is because it's an xDSL line with a
dynamic ip. Some devices on the network need to send emails to my mail
server which can go out over this connection. My ISP correctly lists the
dynamic ips in PBL. I use
s to specify access table lookups which contains hostnames.
>>
>> postscreen_access_list does not seem to allow hostnames in lookup tables.
>>
>> Is my understanding correct? Is there a reason why hostnames should not
>> be supported in postscreen_access_list lookup tables
>> smtpd allows to specify access table lookups which contains hostnames.
>>
>> postscreen_access_list does not seem to allow hostnames in lookup tables.
>>
>> Is my understanding correct? Is there a reason why hostnames should not
>> be supported in postscree
John Fawcett:
> Hi
>
> I was recently trying to whitelist a client hostname that frequently
> changes ip.
>
> >From the documentation check_client_access restriction for use with
> smtpd allows to specify access table lookups which contains hostnames.
>
> postsc
ch contains hostnames.
>
> postscreen_access_list does not seem to allow hostnames in lookup tables.
>
> Is my understanding correct? Is there a reason why hostnames should not
> be supported in postscreen_access_list lookup tables?
>
> thanks
>
> John
>
Yes, postscreen by de
Hi
I was recently trying to whitelist a client hostname that frequently
changes ip.
>From the documentation check_client_access restriction for use with
smtpd allows to specify access table lookups which contains hostnames.
postscreen_access_list does not seem to allow hostnames in loo
On 8/4/2016 4:08 PM, Dave Jones wrote:
> Thank you for the response.
>
> I do have a submission setup but you reminded me to
> look in he master.conf and disable rate limiting:
>
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> -o
something like permit_sasl_authenticated that
>> could be put in the postscreen_access_list and the
>> smtpd_client_event_limit_exceptions that could bypass
>> dnsbl and rate limiting for SASL authenticated senders?
>
> No, since the SASL AUTH won't happen until the client i
On Thu, Aug 04, 2016 at 02:25:19PM -0500, Dave Jones wrote:
> Is there something like permit_sasl_authenticated that
> could be put in the postscreen_access_list and the
> smtpd_client_event_limit_exceptions that could bypass
> dnsbl and rate limiting for SASL authenticated senders
limiting
for SASL authenticated senders and I may have put
an invalid option in the postscreen_access_list. I get
so much mail that I didn't see the warning: in the logs
until now.
Is there something like permit_sasl_authenticated that
could be put in the postscreen_access_list
pears that postscreen is not bypassing dnsbl checks:
>
> main.cf
> ===
> postscreen_access_list =
> permit_mynetworks,
> cidr:/etc/postfix/postscreen_spf_whitelist.cidr
>
> /etc/postfix/postscreen_spf_whitelist.cidr
> ===
> ...
> 69.252.
:
main.cf
===
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
/etc/postfix/postscreen_spf_whitelist.cidr
===
...
69.252.207.0/25 permit
...
Jul 28 07:41:30 mail3 postfix/postscreen[9105]: NOQUEUE: reject
RCPT from
On 2015.01.22 10.35, wie...@porcupine.org (Wietse Venema) wrote:
btb:
we have a small local blacklist, mostly used for clients which
aren't listed in dnsbls.
postscreen_access_list =
cidr:$table_directory/postscreen_access_list-rejects.cidr
sometimes when a larger netblock gets listed
we have a small local blacklist, mostly used for clients which aren't listed in
dnsbls.
postscreen_access_list =
cidr:$table_directory/postscreen_access_list-rejects.cidr
sometimes when a larger netblock gets listed, it can have the unintended
consequences of blocking well behaved clients
btb:
we have a small local blacklist, mostly used for clients which
aren't listed in dnsbls.
postscreen_access_list =
cidr:$table_directory/postscreen_access_list-rejects.cidr
sometimes when a larger netblock gets listed, it can have the
unintended consequences of blocking well behaved
of whitelist negative
scoring to reduce some of the administrative burden would be nice
though, and also avoid the fix it after finding out it's broken
scenario.
Instead of postscreen_access_list, you could use rbldnsd (or
equivalent) to mix local blacklists with remote whitelists.
I am not ready
is not
a bot.
btb:
right. we do that now. taking advantage of whitelist negative
scoring to reduce some of the administrative burden would be nice
though, and also avoid the fix it after finding out it's broken
scenario.
Instead of postscreen_access_list, you could use rbldnsd (or
equivalent) to mix
On Tue, Oct 2, 2012 at 9:20 PM, Wietse Venema wie...@porcupine.org wrote:
Nope. If you were testing this more carefully then you would have
found that upper or lower case does not matter in this context.
I tested the exact same line with PERMIT and permit.
permit allowed the whitelist entry
francis picabia:
[ Charset ISO-8859-1 unsupported, converting... ]
On Tue, Oct 2, 2012 at 9:20 PM, Wietse Venema wie...@porcupine.org wrote:
Nope. If you were testing this more carefully then you would have
found that upper or lower case does not matter in this context.
I tested the
I now notice there is a warning in the log file only when the postscreen_access
file is read (and should have matched):
Oct 2 15:41:05 mx10 postfix/postscreen[11731]: warning:
cidr:/etc/postfix/postscreen_access: unknown command: OK -- ignoring
the remainder of this access list
Also same
command: OK -- ignoring
the remainder of this access list
Also same warning with PERMIT
I'm simply listing an IP, some tabs, and PERMIT or OK
in attempt to whitelist dnsbl false positives.
Where does the postscreen_access_list documentation say that OK is
valid input?
Wietse
the postscreen_access_list documentation say that OK is
valid input?
OK was just an attempt when noticing another CIDR format file
using OK in the right column. I tried reversing the IP octets too.
Anything to find the success case.
Anyway the important news to share is: it's gotta be permit
in lower case.
.
Where does the postscreen_access_list documentation say that OK is
valid input?
OK was just an attempt when noticing another CIDR format file
using OK in the right column. I tried reversing the IP octets too.
Anything to find the success case.
When desperate READ THE DOCUMENTATION
On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema
wie...@porcupine.org wrote:
Mark Alan:
Would the following be an acceptable way to do it?
postconf -e 'postscreen_access_list = reject'
postconf -e 'soft_bounce = yes'
Only if this is documented. The soft_bounce
On 1/31/2012 4:36 AM, Mark Alan wrote:
On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema
wie...@porcupine.org wrote:
Mark Alan:
Would the following be an acceptable way to do it?
postconf -e 'postscreen_access_list = reject'
postconf -e 'soft_bounce = yes'
Only
Mark Alan:
On Mon, 30 Jan 2012 19:17:17 -0500 (EST), Wietse Venema
wie...@porcupine.org wrote:
Mark Alan:
Would the following be an acceptable way to do it?
postconf -e 'postscreen_access_list = reject'
postconf -e 'soft_bounce = yes'
Only if this is documented
On Tue, 31 Jan 2012 06:17:39 -0600, Noel Jones njo...@megan.vbhcs.org
wrote:
You need to set both postscreen_blacklist_action = drop and
soft_bounce = yes. The soft_bounce changes the 521 hangup into a
421 hangup.
Thank you Noel,
If we wanted a mere 4.x.x hangup, it would be more elegant to
.
# postconf -n|grep postscreen
postscreen_access_list = static:reject
postscreen_blacklist_action = enforce
postscreen_greet_banner =
# telnet 127.0.0.1 smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 foo.example.com ESMTP Postfix
ehlo foo
250-foo.example.com
250
On Mon, Jan 30, 2012 at 09:03:39PM +, Mark Alan wrote:
Regarding the config option:
postscreen_access_list = static:retry
Where is retry documented as a valid access list keyword?
3) the similar syntax of 'transport_maps = static:retry'
The transport table is not access(5) table
the server
answering:
Don't worry, I am alive but right now I am not able to accept your
email, i.e., 450 Service currently unavailable
The documentation for the postscreen_access_list parameter.
Would the following be an acceptable way to do it?
postconf -e 'postscreen_access_list = reject
Mark Alan:
Would the following be an acceptable way to do it?
postconf -e 'postscreen_access_list = reject'
postconf -e 'soft_bounce = yes'
Only if this is documented. The soft_bounce parameter is listed on
the postscreen(8) manpage, this is perhaps a sufficient promise
Hi,
I would like to use dnswl.org as an access list for
postscreen_access_list. Unfortunately, permit_dnswl_client can be only
used for the smtpd_client_restrictions.
Is there any other way to use dns based whitelist for
postscreen_access_list?
Ihsan
--
ih...@dogan.chhttp
??hsan??Do??an:
Hi,
I would like to use dnswl.org as an access list for
postscreen_access_list. Unfortunately, permit_dnswl_client can be only
used for the smtpd_client_restrictions.
Is there any other way to use dns based whitelist for
postscreen_access_list?
Use postscreen_access_list
Hi,
Am 10.07.2011 20:31, schrieb Wietse Venema:
I would like to use dnswl.org as an access list for
postscreen_access_list. Unfortunately, permit_dnswl_client can be only
used for the smtpd_client_restrictions.
Is there any other way to use dns based whitelist for
postscreen_access_list
On 2011-07-10 21:47, İhsan Doğan wrote:
Hi,
Am 10.07.2011 20:31, schrieb Wietse Venema:
I would like to use dnswl.org as an access list for
postscreen_access_list. Unfortunately, permit_dnswl_client can be only
used for the smtpd_client_restrictions.
Is there any other way to use dns based
??hsan??Do??an:
[ Charset UTF-8 unsupported, converting... ]
Hi,
Am 10.07.2011 20:31, schrieb Wietse Venema:
I would like to use dnswl.org as an access list for
postscreen_access_list. Unfortunately, permit_dnswl_client can be only
used for the smtpd_client_restrictions
on specific IPs).
I noticed that postscreen_access_list requires a permit action rather
than an OK action in order to whitelist, so I will now need to duplicate
the access file and change the action (that can be automated). Is there
an advantage in having postscreen_whitelist_networks use permit action
to
avoid DNSBL checks on specific IPs).
I noticed that postscreen_access_list requires a permit action rather
than an OK action in order to whitelist, so I will now need to duplicate
the access file and change the action (that can be automated). Is there
an advantage in having
(in particular this whitelisting is used to
avoid DNSBL checks on specific IPs).
I noticed that postscreen_access_list requires a permit action rather
than an OK action in order to whitelist, so I will now need to duplicate
the access file and change the action (that can be automated
From my log:
Jan 13 22:37:21 mail postfix/postscreen[17587]: warning:
postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the
remainder of this access list
The README says:
postscreen_access_list = permit_mynetworks,
/etc/postfix/postscreen_access.cidr
Ralf Hildebrandt:
From my log:
Jan 13 22:37:21 mail postfix/postscreen[17587]: warning:
postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the
remainder of this access list
The README says:
postscreen_access_list = permit_mynetworks,
/etc/postfix
The POSTSCREEN_README mentions:
See the postscreen_access_list manpage documentation for more details.
./man/man8/postscreen.8 is the only man page with postscreen as part
of the name - it does mention postscreen_access_list.
man 5 postconf is also not listing postscreen_access_list
--
Ralf
On Thu, Jan 13, 2011 at 10:41:53PM +0100, Ralf Hildebrandt wrote:
From my log:
Jan 13 22:37:21 mail postfix/postscreen[17587]: warning:
postscreen_access_list: unknown command: permit_mynetworks, -- ignoring the
remainder of this access list
The README says:
postscreen_access_list
Ralf Hildebrandt:
The POSTSCREEN_README mentions:
See the postscreen_access_list manpage documentation for more details.
./man/man8/postscreen.8 is the only man page with postscreen as part
of the name - it does mention postscreen_access_list.
man 5 postconf is also not listing
* Wietse Venema wie...@porcupine.org:
Yes it does. You are looking at the old postconf manpage.
Damn. Gotta fix this mess:
# locate postconf.5 | xargs ls -l
-rw-r--r-- 1 root root 432025 13. Jan 16:00 /usr/share/man/man5/postconf.5
-rw-r--r-- 1 root root 85140 18. Sep 2009
47 matches
Mail list logo