If we leave the current configuration of postfix and filters we will have a lot problems with not receiving mails from unregistered secondary or local mail servers of other external domain companies and a lot KSMG (Kaspersky mail gateway protection) as of lately. So one way it would be to not check for registered helo servers and receive a ton of other spam or add all needed friendly external mail servers to a rbl_override and helo_access lists. We would like to clear this a little bit and ease our configurations about the wildcards that we can use: lets say that we want always to receive mails from this company with several mail servers of theirs. company.com mail.company.com local.mail.company.com ksmg.company.com 1. In rbl_override: Should we list all of them like this with OK at the end mail.company.com OK local.mail.company.com OK ksmg.company.com OK or to cover all the cases we can use something like this or similar company.com OK or *.company.com OK 2. In helo_access: Should we list all of them like this with OK at the end: /^mail\.company\.com$/ OK /^local\.mail\.company\.com$/ OK /^ksmg\.company\.com$/ OK or to cover all the cases we can use something like this or similar /^company\.com$/ OK 3. PS Is the option in ISPC > Mail > Postfix Whitelist helping or replacing some of this functions, and if Yes, then which type (recipient/sender/client) and what form of wildcards can we use in this case? (can we just put the domain name as company.com or *.company.com?)? Thank you for your time and help in advance and we hope that with this clear answer we will help a lot of our colleagues fine tune their postfix anti spam configuration. Best regards, happy holidays
By "unregistered," you mean not in DNS? You can set whether you reject unknown client hostnames or helo hostnames (or both/neither) overall, and can override the client hostname restrictions via the postfix whitelist (type 'client'), and override unknown helo hostnames via helo_access as you mentioned. For your rbl issues, I would switch to using weighted rbl's, so that you can still use rbl's which are mostly good but have some incorrect listings, without outright blocking from that. Rspamd can do that, ie. add some score based on rbl matches, and then set a greylist and a reject threshold, or you can use postscreen to add weighted rbl lookups right to postfix (with rspamd or amavis as the filter). The recipient and sender types work on envelope addrs; I imagine you could add a domain there, and use 'domain.com' and/or '.domain.com' as the syntax as needed (see http://www.postfix.org/access.5.html).
Thank you for your time and help Jesse. Can you please clearify the use of wildcards? Can we use just domain.com OK Or *.domain.com OK In rbl_override, or we have to put all variations like mail1.domain.com OK exchange.domain.com OK ksmg.domain.com OK Same question about helo_access, Does this mean all mail servers with any subdomain: /^domain\.com$/ OK Or it means just the main domain company.com, and we have to add all the others mail1.domain , ksmg.domain ...
To quote from the link I posted earlier: The caret (^) anchors the match to the beginning of a line, so no, that doesn't match subdomains. You could use something like Code: /^(mail1|ksmg|whatever)\.domain\.com$/ if you know all the names you want to match (or listed on individual lines), or just add a second line with Code: /\.domain\.com$/ to catch any subdomain.
Thanks Jesse, i guess this is the one i have been looking for. I thought that i must use * or some other wildcard. As you say, leaving only the dot in front of the domain, solves the case for all the subdomains which is more failproof...
