[Postfixbuch-users] Postfixrelay mit Whitelist undBlacklist Kombination

TN96web at gmx.de TN96web at gmx.de
Di Mär 4 23:23:49 CET 2008 

Hi,

hier postconf...
ich würd halt gern den reciepient check nach der black und der white list haben....

vg
andy

alias_maps = hash:/etc/aliases
bounce_size_limit = 1000
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 2
defer_transports =
disable_dns_lookups = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix/html
in_flow_delay = 10s
inet_interfaces = 127.0.0.1,192.168.1.10
local_transport = smtp:[192.168.1.11]
mailbox_size_limit = 512000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
message_size_limit = 102400000
mydomain = xxxx.de
myhostname = mail.xxxx.de
mynetworks = $internal_mail,127.0.0.0/8,192.168.1.10-250,192.168.1.10
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = xxxx.de
relayhost = esmtp.artfiles.de
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = permit_mynetworks,                    reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,            reject_invalid_hostname,                reject_unauth_pipelining,               permit
smtpd_recipient_restrictions = permit_mynetworks,                reject_unauth_destination,             reject_non_fqdn_sender,         reject_non_fqdn_recipient,              reject_unknown_sender_domain,           reject_unknown_recipient_domain,                reject_unverified_recipient,            check_client_access cidr:/etc/postfix/wl/postfix-dnswl-header,          check_client_access cidr:/etc/postfix/wl/postfix-dnswl-permit,          check_sender_access hash:/etc/postfix/sender_white,             check_client_access hash:/etc/postfix/client_white,             check_recipient_access hash:/etc/postfix/recipient,             reject_invalid_hostname,                reject_non_fqdn_hostname,              reject_rbl_client bl.spamcop.net,                reject_rbl_client cbl.abuseat.org,              reject_rbl_client zen.spamhaus.org,             reject_rbl_client list.dsbl.org,                reject_rbl_client spam.dnsbl.sorbs.net,        reject_rbl_client ix.dnsbl.manitu.net,           reject_rbl_client bl.csma.biz,          reject_rbl_client bl.spamcannibal.org,          reject_rbl_client db.wpbl.info,         reject_rbl_client dnsbl.njabl.org
smtpd_sender_restrictions = permit_mynetworks,          reject_non_fqdn_sender,                 check_sender_access hash:/etc/postfix/sender_access,            check_sender_access hash:/etc/postfix/access            permit
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
unverified_recipient_reject_code = 550

-------- Original-Nachricht --------
> Datum: Fri, 29 Feb 2008 07:52:47 +0100
> Von: "Uwe Driessen" <driessen at fblan.de>
> An: "\'Eine Diskussionsliste rund um das Postfix-Buch von Peer Heinlein.\'" <postfixbuch-users at listi.jpberlin.de>
> Betreff: Re: [Postfixbuch-users] Postfixrelay mit Whitelist	undBlacklist	Kombination

> Ralf Hildebrandt schrieb: 
> > * "Andrea Spörl" <TN96web at gmx.de>:
> > > Hi Ralf,
> > >
> > > das ist die Whitelist, ist die dnswl.org die hol ich mir per rsync, da
> ich nicht raus
> > gefunden hab wie das via dns geht.
> > 
> > Hey, guter Workaround!
> > Respekt.
> > 
> > Lösung ist, daß du das mit restriction_classes baust
> 
> 
> Am Beispiel von selectivem Greylisting
> 
> Main.cf :
> ------------
> smtpd_restriction_classes =
>    greylisting
> 
> greylisting = check_policy_service inet:127.0.0.1:60000
> 
> 
> smtpd_recipient_restrictions = ............
> 		.............
> 		permit_sasl_authenticated,
> 		......
> 		check_client_access pcre:/etc/postfix/maps/dialups.grey,
> 
> 
> dialups.grey:
> ------------
> /(\-.+){4}$/ greylisting
> /(\..+){4}$/ greylisting
> # everything with 3 or more dots/hyphens in the hostname
> 
> /(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?
> |dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?p
> ool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\.[a-z]{3})?\.virtua|[1-9]Cu
> st[0-9]+|AC[A-Z][0-9A-F]{5}\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\.[a-z]{2})[0-9.x_-]
> /         greylisting
> 
> 
> Das abweisen sollte lt. Deiner config schon vor dem Whitelisten passieren 
> 
> reject_unverified_recipient 
> Reject the request when mail to the RCPT TO address is known to bounce, or
> when the
> recipient address destination is not reachable. Address verification
> information is
> managed by the verify(8) server; see the ADDRESS_VERIFICATION_README file
> for details. 
> 
> The unverified_recipient_reject_code parameter specifies the response when
> an address is
> known to bounce (default: 450, change into 550 when you are confident that
> it is safe to
> do so). Postfix replies with 450 when an address probe failed due to a
> temporary problem.
> This feature is available in Postfix 2.1 and later.
> 
> unverified_recipient_reject_code = 550 gesetzt??
> Irgend welche Wildcards/Catchall in den Adresslisten ?
> 
> Statt Empfänger verify nach Möglichkeit die Adresslisten local halten
> und gegen das
> dahinterliegende System syncronisieren.
> 
>    reject_unlisted_recipient,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_sender_domain,
>    reject_unknown_recipient_domain,
>    reject_unlisted_sender,
>    reject_unauth_destination,	
> 
> reject_unauth_destination 
> Reject the request unless one of the following is true: 
> Postfix is mail forwarder: the resolved RCPT TO address matches
> $relay_domains or a
> subdomain thereof, and contains no sender-specified routing
> (user at elsewhere@domain), 
> Postfix is the final destination: the resolved RCPT TO address matches
> $mydestination,
> $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or
> $virtual_mailbox_domains,
> and contains no sender-specified routing (user at elsewhere@domain). 
> The relay_domains_reject_code parameter specifies the response code for
> rejected requests
> (default: 554).
> 
> (http://www.postfix.org/postconf.5.html da gibt es alles übersichtlich
> und gut erklärt)
> 
> 
> check_client_access cidr:/etc/postfix/wl/postfix-dnswl-header,
> check_client_access cidr:/etc/postfix/wl/postfix-dnswl-permit,
> 
> statt OK muß dann dort die restriktionclass stehen in die verzweigt
> werden soll 
> 
> 
> Zeig mal Ausgabe von postconf -n 
> 
> 
> Mit freundlichen Grüßen
> 
> Drießen
> 
> -- 
> Software & Computer
> Uwe Drießen
> Lembergstraße 33
> 67824 Feilbingert
> Tel.: 06708 / 660045   Fax: 06708 / 661397
> 
> -- 
> _______________________________________________
> Postfixbuch-users -- http://www.postfixbuch.de
> Heinlein Professional Linux Support GmbH
> 
> Postfixbuch-users at listi.jpberlin.de
> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users

-- 
Psst! Geheimtipp: Online Games kostenlos spielen bei den GMX Free Games! 
http://games.entertainment.web.de/de/entertainment/games/free

Mehr Informationen über die Mailingliste Postfixbuch-users