[Postfixbuch-users] Postfixrelay mit Whitelist undBlacklist Kombination
Uwe Driessen
driessen at fblan.de
Fr Feb 29 07:52:47 CET 2008
Ralf Hildebrandt schrieb:
> * "Andrea Spörl" <TN96web at gmx.de>:
> > Hi Ralf,
> >
> > das ist die Whitelist, ist die dnswl.org die hol ich mir per rsync, da ich nicht raus
> gefunden hab wie das via dns geht.
>
> Hey, guter Workaround!
> Respekt.
>
> Lösung ist, daß du das mit restriction_classes baust
Am Beispiel von selectivem Greylisting
Main.cf :
------------
smtpd_restriction_classes =
greylisting
greylisting = check_policy_service inet:127.0.0.1:60000
smtpd_recipient_restrictions = ............
.............
permit_sasl_authenticated,
......
check_client_access pcre:/etc/postfix/maps/dialups.grey,
dialups.grey:
------------
/(\-.+){4}$/ greylisting
/(\..+){4}$/ greylisting
# everything with 3 or more dots/hyphens in the hostname
/(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?
|dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?p
ool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\.[a-z]{3})?\.virtua|[1-9]Cu
st[0-9]+|AC[A-Z][0-9A-F]{5}\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\.[a-z]{2})[0-9.x_-]
/ greylisting
Das abweisen sollte lt. Deiner config schon vor dem Whitelisten passieren
reject_unverified_recipient
Reject the request when mail to the RCPT TO address is known to bounce, or when the
recipient address destination is not reachable. Address verification information is
managed by the verify(8) server; see the ADDRESS_VERIFICATION_README file for details.
The unverified_recipient_reject_code parameter specifies the response when an address is
known to bounce (default: 450, change into 550 when you are confident that it is safe to
do so). Postfix replies with 450 when an address probe failed due to a temporary problem.
This feature is available in Postfix 2.1 and later.
unverified_recipient_reject_code = 550 gesetzt??
Irgend welche Wildcards/Catchall in den Adresslisten ?
Statt Empfänger verify nach Möglichkeit die Adresslisten local halten und gegen das
dahinterliegende System syncronisieren.
reject_unlisted_recipient,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_sender,
reject_unauth_destination,
reject_unauth_destination
Reject the request unless one of the following is true:
Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a
subdomain thereof, and contains no sender-specified routing (user at elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO address matches $mydestination,
$inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains,
and contains no sender-specified routing (user at elsewhere@domain).
The relay_domains_reject_code parameter specifies the response code for rejected requests
(default: 554).
(http://www.postfix.org/postconf.5.html da gibt es alles übersichtlich und gut erklärt)
check_client_access cidr:/etc/postfix/wl/postfix-dnswl-header,
check_client_access cidr:/etc/postfix/wl/postfix-dnswl-permit,
statt OK muß dann dort die restriktionclass stehen in die verzweigt werden soll
Zeig mal Ausgabe von postconf -n
Mit freundlichen Grüßen
Drießen
--
Software & Computer
Uwe Drießen
Lembergstraße 33
67824 Feilbingert
Tel.: 06708 / 660045 Fax: 06708 / 661397
Mehr Informationen über die Mailingliste Postfixbuch-users