Whitelist client blocked by RBL service

Discussion in 'Installation/Configuration' started by CubAfull, Sep 3, 2015.

  1. CubAfull

    CubAfull Member HowtoForge Supporter

    Hello,
    I'm having a big problem trying to whitelist a client blocked by RBL services. This client send email from other server to multiple email accounts in my server.
    I create a new rule under Global Filters -> Postfix Whitelist and set the client domain, and (for testing) the type to Sender, Client and Recipient, but the client email can't pass the RBL filter. I can see in the mail.log "Service unavailable; Client host [xx.xx.xx.xx] blocked using dnsblchile.org"
    I don't know if this is the problem, but I can see this rule in smtpd_recipient_restrictions:
    check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    In the postfix documentation it say:
    So, check_recipient_access check for the TO address and not for the FROM address. If I create the whitelist rule and set my client domain Type to recipient, this rule never match.
    Note: In this tutorial @falko use the check_client_access rule, but I don't know why ISPConfig set check_recipient_access.
    My question:
    1. How can I bypass the RBL check for specific domain or IP?
    2. It's the check_recipient_access the correct rule for smtpd_recipient_restrictions?
    Server details:
    Debian Jessie
    ISPConfig 3.0.5.4p8
    Postfix 2.11.3
    main.cf:
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/smtpd.bundle
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    myhostname = some.server.ltd
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = some.server.ltd, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client multi.uribl.com, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dsn.rfc-ignorant.org
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    bounce_queue_lifetime = 1d
    maximal_queue_lifetime = 1d
    bounce_template_file = /etc/postfix/bounce.es-ES.cf
    message_size_limit = 10485760
    
     
    chico11mbit likes this.
  2. CubAfull

    CubAfull Member HowtoForge Supporter

    Well, now I have some time and I'm testing some configurations in order to solve this problem.
    The original configuration set by ISPConfig:
    Code:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client multi.uribl.com, reject_rbl_client zen.spamhaus.org
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    Working configuration:
    1- Delete the smtpd_sender_restrictions and smtpd_client_restrictions and add the check_sender_access and check_client_access to smtpd_recipient_restrictions.
    Code:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client multi.uribl.com
    My full Postfix configuration:
    NOTES:
    - This configuration is for Postfix 2.10+
    - Please don't copy/paste this configuration in your server, it contain some custom settings like bounce template etc.

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/smtpd.bundle
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    myhostname = some.server.ltd
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = some.server.ltd, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_rbl_client dnsblchile.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client multi.uribl.com
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    bounce_queue_lifetime = 1d
    maximal_queue_lifetime = 1d
    bounce_template_file = /etc/postfix/bounce.es-ES.cf
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    strict_rfc821_envelopes = yes
    message_size_limit = 10485760
    I also make a copy of the ISPConfig install/configuration script debian_postfix.conf.master for postfix and put this file in /usr/local/ispconfig/server/conf-custom/install directory because I don't want to make this changes every time I update the ISPConfig installation.
    debian_postfix.conf.master content:
    Code:
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = {vmail_mailbox_base}
    virtual_uid_maps = static:{vmail_userid}
    virtual_gid_maps = static:{vmail_groupid}
    inet_protocols=all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:{config_dir}/mysql-virtual_client.cf, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient{rbl_list}
    smtpd_use_tls = yes
    smtpd_tls_security_level = may
    smtpd_tls_cert_file = {config_dir}/smtpd.cert
    smtpd_tls_key_file = {config_dir}/smtpd.key
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf
    relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit   = 1
    virtual_transport = maildrop
    header_checks = regexp:{config_dir}/header_checks
    mime_header_checks = regexp:{config_dir}/mime_header_checks
    nested_header_checks = regexp:{config_dir}/nested_header_checks
    body_checks = regexp:{config_dir}/body_checks
    owner_request_special = no
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    strict_rfc821_envelopes = yes
     
    till likes this.
  3. karuott

    karuott New Member

    We have the same problem.
    Is it okay if i'll do that:
    Code:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client
    bad.psky.me
    
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions =
    
    Deleted check_client_access mysql:/etc/postfix/mysql-virtual_client.cf from smtpd_client_restrictions and added that line to smtpd_recipient_restrictions. In the ISPC i should make whitelist for domain and type should be Client?
     

Share This Page