postfix blacklist

x49pL23

New Member
Joined
Mar 5, 2020
Messages
1
Reaction score
0
Credits
0
Hi,

I have postfix up and running for sometime now, I've fine tuned many of the config options, but I'm stilling getting the odd spammer getting through. The problem I'm having is spammers that are on the various blacklists seem to be able to connect and send email, and only caught out/blocked when they trigger other things, like no PTR record, etc. Why is postfix ignoring the blacklists?

my main.cf has these entries:
smtpd_client_restrictions =
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,

and also:

smtpd_recipient_restrictions =
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,

But many spammers on those lists have sent email through my server (provided they dont trigger any other blocking rule).

This is my main.cf:

mydomain = x.com
myhostname = mail.x.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.$mydomain, $mydomain, $myhostname, localhost.com.au, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 2
smtpd_client_message_rate_limit = 2
smtpd_client_recipient_rate_limit = 5
smtpd_client_new_tls_session_rate_limit = 2

smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination

anvil_rate_time_unit = 2s
smtpd_client_message_rate_limit = 2

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,

reject_rhsbl_helo bl.spamcop.net,
reject_rhsbl_helo zen.spamhaus.org,
reject_rhsbl_helo cbl.abuseat.org,
reject_rhsbl_helo dbl.spamhaus.org,

reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unknown_sender_domain,
reject_unverified_sender,
permit

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination,

permit_dnswl_client swl.spamhaus.org,

reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,

reject_invalid_hostname,
reject_unauth_pipelining,
reject_unauth_destination,
reject_non_fqdn_recipient,

reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,

reject_rhsbl_helo dbl.spamhaus.org,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_recipient_domain,
reject_unverified_recipient,
permit

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination,

permit_dnswl_client swl.spamhaus.org,

reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,

reject_invalid_hostname,
reject_unauth_pipelining,
reject_unauth_destination,
reject_non_fqdn_recipient,

reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,

reject_unknown_reverse_client_hostname,
reject_rhsbl_helo dbl.spamhaus.org,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_recipient_domain,
reject_unverified_recipient,
permit

default_destination_rate_delay = 3s
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

virtual_alias_domains = ......
virtual_alias_maps = hash:/etc/postfix/virtual
 


You are mixing the settings of different smtpd access restrictions using some settings where they don't belong. Have a look at the example from the postfix documentation website. Below the example you have a table of the different smtpd restrictions where you can click on to see which settings belong to which smtpd restrictions.
 

Members online


Top