Hello, I'm having a big problem trying to whitelist a client blocked by RBL services. This client send email from other server to multiple email accounts in my server. I create a new rule under Global Filters -> Postfix Whitelist and set the client domain, and (for testing) the type to Sender, Client and Recipient, but the client email can't pass the RBL filter. I can see in the mail.log "Service unavailable; Client host [xx.xx.xx.xx] blocked using dnsblchile.org" I don't know if this is the problem, but I can see this rule in smtpd_recipient_restrictions: check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf In the postfix documentation it say: So, check_recipient_access check for the TO address and not for the FROM address. If I create the whitelist rule and set my client domain Type to recipient, this rule never match. Note: In this tutorial @falko use the check_client_access rule, but I don't know why ISPConfig set check_recipient_access. My question: How can I bypass the RBL check for specific domain or IP? It's the check_recipient_access the correct rule for smtpd_recipient_restrictions? Server details: Debian Jessie ISPConfig 3.0.5.4p8 Postfix 2.11.3 main.cf: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_CAfile = /etc/postfix/smtpd.bundle smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = some.server.ltd alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = some.server.ltd, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client multi.uribl.com, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client dsn.rfc-ignorant.org smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings bounce_queue_lifetime = 1d maximal_queue_lifetime = 1d bounce_template_file = /etc/postfix/bounce.es-ES.cf message_size_limit = 10485760
Well, now I have some time and I'm testing some configurations in order to solve this problem. The original configuration set by ISPConfig: Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client multi.uribl.com, reject_rbl_client zen.spamhaus.org smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf Working configuration: 1- Delete the smtpd_sender_restrictions and smtpd_client_restrictions and add the check_sender_access and check_client_access to smtpd_recipient_restrictions. Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client dnsblchile.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client multi.uribl.com My full Postfix configuration: NOTES: - This configuration is for Postfix 2.10+ - Please don't copy/paste this configuration in your server, it contain some custom settings like bounce template etc. Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_CAfile = /etc/postfix/smtpd.bundle smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = some.server.ltd alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = some.server.ltd, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_rbl_client dnsblchile.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client multi.uribl.com smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings bounce_queue_lifetime = 1d maximal_queue_lifetime = 1d bounce_template_file = /etc/postfix/bounce.es-ES.cf smtpd_helo_required = yes smtpd_delay_reject = yes strict_rfc821_envelopes = yes message_size_limit = 10485760 I also make a copy of the ISPConfig install/configuration script debian_postfix.conf.master for postfix and put this file in /usr/local/ispconfig/server/conf-custom/install directory because I don't want to make this changes every time I update the ISPConfig installation. debian_postfix.conf.master content: Code: alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:{config_dir}/mysql-virtual_forwardings.cf, proxy:mysql:{config_dir}/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:{config_dir}/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:{config_dir}/mysql-virtual_mailboxes.cf virtual_mailbox_base = {vmail_mailbox_base} virtual_uid_maps = static:{vmail_userid} virtual_gid_maps = static:{vmail_groupid} inet_protocols=all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:{config_dir}/mysql-virtual_client.cf, check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf, check_recipient_access mysql:{config_dir}/mysql-virtual_recipient.cf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient{rbl_list} smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_cert_file = {config_dir}/smtpd.cert smtpd_tls_key_file = {config_dir}/smtpd.key transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:{config_dir}/mysql-virtual_transports.cf relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:{config_dir}/header_checks mime_header_checks = regexp:{config_dir}/mime_header_checks nested_header_checks = regexp:{config_dir}/nested_header_checks body_checks = regexp:{config_dir}/body_checks owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_helo_required = yes smtpd_delay_reject = yes strict_rfc821_envelopes = yes
We have the same problem. Is it okay if i'll do that: Code: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_rbl_client bad.psky.me smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = Deleted check_client_access mysql:/etc/postfix/mysql-virtual_client.cf from smtpd_client_restrictions and added that line to smtpd_recipient_restrictions. In the ISPC i should make whitelist for domain and type should be Client?
