Whitelist blocked by RBL Service

Discussion in 'Installation/Configuration' started by DripleX, Aug 23, 2017.

  1. DripleX

    DripleX New Member

    I have a mail relay server (Rasperry pi) which recieves messages from a datafax and sends it over a secured connection to my mailserver.
    My server runs with debian 8 and the current version of Ispconfig 3 with Nginx.

    To fight against spam mails I added the following line to the postfix main.cf:
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org
    With this line I noticed, that the mails from the raspi will be blocked:
    Aug 23 15:35:09 v2334XXXXXX postfix/smtpd[14549]: NOQUEUE: reject: RCPT from ppp-188-174-XXX-XX.dynamic.mnet-online .de[188.174.XXX.XX]: 554 5.7.1 Service unavailable; Client host [188.174.XXX.XX] blocked using zen.spamhaus .org; https://www.spamhaus .org/query/ip/188.174.XXX.XX; from=<> to=<[email protected]> proto=ESMTP helo=<raspberrypi>
    The raspi is connected to a fritzbox, so I wanted to add the dynamic ip address of it to a white list, like this answer: serverfault .com/questions/495050/whitelist-rule-for-reject-rbl-client-in-postfix
    After that my main.cf looks like:
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org
    But the messages are still blocked. I restarted postfix everytime I did new changes!

    Do you have an idea what I can do to solve this, or do you know what I'am doing wrong?

    Here you can see my main.cf if necessary:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    readme_directory = /usr/share/doc/postfix
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    #smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    #Disable Poodle
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    # Changes to SSL Ciphers
    tls_preempt_cipherlist = yes
    smtpd_tls_mandatory_ciphers = high
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    myhostname = v2334XXXXXX.yourvserver.net
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = v2334XXXXXX.yourvserver.net, localhost, localhost.localdomain
    relayhost =
    mynetworks = [::1]/128
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    inet_protocols = all
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
        #check_policy_service inet:
    smtpd_tls_security_level = may
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    #smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = dovecot
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    owner_request_special = no
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    content_filter = amavis:[]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    milter_default_action = accept
    milter_protocol = 6
    smtpd_milters = inet:localhost:4526
    non_smtpd_milters = inet:localhost:4526
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    strict_rfc821_envelopes = yes
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    #unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_reject = yes
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_ciphers = export
    smtpd_tls_received_header = yes
    smtp_tls_loglevel = 1
    smtpd_tls_loglevel = 1
    smtpd_tls_eecdh_grade = strong
    tls_preempt_cipherlist = yes
    postscreen_greet_action = enforce
    postscreen_helo_required = yes
    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_action = drop
    postscreen_dnsbl_sites = zen.spamhaus.org*2
            bl.spamcop.net*1 b.barracudacentral.org*1
    postscreen_dnsbl_action = drop
    postscreen_enforce_tls = $smtpd_enforce_tls
    postscreen_use_tls = $smtpd_use_tls
    smtpd_reject_footer = Contact [email protected] for technical
    assistance. Please provide the following information in your
    problem report: error message, time ($localtime),
    client ($client_address) and server ($server_name).
    We speak both English and German.
    postscreen_reject_footer = Contact [email protected] for technical
    assistance. Please provide the following information in your
    problem report: error message, time ($localtime),
    client ($client_address) and server ($server_name).
    We speak both English and German.
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtpd_restriction_classes = greylisting
    greylisting = check_policy_service inet:
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    is missing. Did you postmap this file?
  3. DripleX

    DripleX New Member

    This is the content of the rbl_override:
    etd2v6yxxxxxxxxi.myfritz.net OK
    And yes I potsmapped this file.
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The connect comes from
    ppp-188-174-XXX-XX.dynamic.mnet-online .de[188.174.XXX.XX]

    you can also use an authentificated connection or use the submission-port
  5. DripleX

    DripleX New Member

    This is a dynamic IP-Address and changes every day. I think you know that.
    I thought if I enter the address of the fritzbox which points to the IP-Address, it will work. But it doesn't.

    What do you mean with authentificated connection and the submission-port.
    I thought I already have an authentificated connection.
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    you can create a mailaccount (user+password) on your relay and use this credentials when you send mails from your fritz-box.
    if the relay and the fritz-box are in the same lan, you can also add the private ip from the fritz-box to mynetworks, reload postfix and use the private ip for the mail-server in the fritz-box.

    side-note: i have the same public-ip for a few months. you can disable the "disconnect daily feature".
  7. DripleX

    DripleX New Member

    Okay, I think I have to explain the whole situation...

    I have an old datafax which can receive faxes and forward it over mail to our mail account.
    But it supports only unencrypted connection and no ssl.
    That's the reason why I set up a mail relay server with the raspi.
    The raspi and the fritzbox are in the same private network.
    Our server is hosted by netcup.

    All mails which sends the raspi to the server will be blocked by the rbl-lists.
    I really don't know how often the public ip-address is changing, so i thought I permit the dynamic address of the fritzbox to the netcup server.
    But this isn't working. The reason for that can be, that the mail will not be send with the dynamic address of the fitzbox.
    And I don't know how to whitlist the raspi to the netcup server.

Share This Page