I have a mail relay server (Rasperry pi) which recieves messages from a datafax and sends it over a secured connection to my mailserver. My server runs with debian 8 and the current version of Ispconfig 3 with Nginx. To fight against spam mails I added the following line to the postfix main.cf: Code: smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org With this line I noticed, that the mails from the raspi will be blocked: Code: Aug 23 15:35:09 v2334XXXXXX postfix/smtpd[14549]: NOQUEUE: reject: RCPT from ppp-188-174-XXX-XX.dynamic.mnet-online .de[188.174.XXX.XX]: 554 5.7.1 Service unavailable; Client host [188.174.XXX.XX] blocked using zen.spamhaus .org; https://www.spamhaus .org/query/ip/188.174.XXX.XX; from=<> to=<[email protected]> proto=ESMTP helo=<raspberrypi> The raspi is connected to a fritzbox, so I wanted to add the dynamic ip address of it to a white list, like this answer: serverfault .com/questions/495050/whitelist-rule-for-reject-rbl-client-in-postfix After that my main.cf looks like: Code: smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org But the messages are still blocked. I restarted postfix everytime I did new changes! Do you have an idea what I can do to solve this, or do you know what I'am doing wrong? Here you can see my main.cf if necessary: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key #smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #Disable Poodle smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 # Changes to SSL Ciphers tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = v2334XXXXXX.yourvserver.net alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = v2334XXXXXX.yourvserver.net, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf #check_policy_service inet:127.0.0.1:10023 smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps #smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:4526 non_smtpd_milters = inet:localhost:4526 smtpd_helo_required = yes disable_vrfy_command = yes strict_rfc821_envelopes = yes invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 #unknown_sender_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_ciphers = export smtpd_tls_received_header = yes smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 smtpd_tls_eecdh_grade = strong tls_preempt_cipherlist = yes postscreen_greet_action = enforce postscreen_helo_required = yes postscreen_dnsbl_threshold = 2 postscreen_dnsbl_action = drop postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 ix.dnsbl.manitu.net postscreen_dnsbl_action = drop postscreen_enforce_tls = $smtpd_enforce_tls postscreen_use_tls = $smtpd_use_tls smtpd_reject_footer = Contact [email protected] for technical assistance. Please provide the following information in your problem report: error message, time ($localtime), client ($client_address) and server ($server_name). We speak both English and German. postscreen_reject_footer = Contact [email protected] for technical assistance. Please provide the following information in your problem report: error message, time ($localtime), client ($client_address) and server ($server_name). We speak both English and German. sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
This is the content of the rbl_override: Code: etd2v6yxxxxxxxxi.myfritz.net OK And yes I potsmapped this file.
The connect comes from ppp-188-174-XXX-XX.dynamic.mnet-online .de[188.174.XXX.XX] you can also use an authentificated connection or use the submission-port
This is a dynamic IP-Address and changes every day. I think you know that. I thought if I enter the address of the fritzbox which points to the IP-Address, it will work. But it doesn't. What do you mean with authentificated connection and the submission-port. I thought I already have an authentificated connection.
you can create a mailaccount (user+password) on your relay and use this credentials when you send mails from your fritz-box. if the relay and the fritz-box are in the same lan, you can also add the private ip from the fritz-box to mynetworks, reload postfix and use the private ip for the mail-server in the fritz-box. side-note: i have the same public-ip for a few months. you can disable the "disconnect daily feature".
Okay, I think I have to explain the whole situation... I have an old datafax which can receive faxes and forward it over mail to our mail account. But it supports only unencrypted connection and no ssl. That's the reason why I set up a mail relay server with the raspi. The raspi and the fritzbox are in the same private network. Our server is hosted by netcup. All mails which sends the raspi to the server will be blocked by the rbl-lists. I really don't know how often the public ip-address is changing, so i thought I permit the dynamic address of the fritzbox to the netcup server. But this isn't working. The reason for that can be, that the mail will not be send with the dynamic address of the fitzbox. And I don't know how to whitlist the raspi to the netcup server.
