Segui

RBL Whitelisting in Postfix

Applies to Platform: UTM 2.4, UTM 2.5, UTM 3.0
Last updated: 14th May 2014

This lesson guides you in the configuration of the white lists for smtp server.

Introduction

If you have enabled the Proxy SMTP and use Realtime blacklist (RBL) on your Endian UTM Appliance to block spam, you probably encountered this problem: From time to time your customers complain that they cannot receive emails from certain mailservers. Most often this happens because those mailservers were exploited to send out spam and therefore were blacklisted. This short guide shows how you can whitelist a mail server in Postfix, to help your customers receive legitimate emails even from a mailserver that happend to be blacklisted.

Recognise a Legitimate Mailserver

If a blacklisted server tries to send mail to your server, you should find something like this in your mail log:

SMTP error from remote mail server after RCPT TO:<bla@example.com>: host mail.example.com [10.10.10.10]: 554 5.7.1 Service unavailable; 
Client host [10.10.10.10] blocked using dnsbl.sorbs.net;
Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?10.10.10.10

In this example, the mailserver 10.10.10.10 is blacklisted and emails sent by it are therefore blocked.

Add a Domain in Postfix's White List

Legitimate mailservers can be listed in the /etc/postfix/rbl_override file. Hence, to whitelist that server, edit that file (if it does not yet exist, it will be created):

root@endian:~ # nano /etc/postfix/rbl_override

Note

For a quickstart/cheatsheet of nano, please refer to this lesson.

Then, populate it with all IP addresses or host names, one per line, with the OK at the end of line as in the example:

10.10.10.10 OK
12.23.34.45 OK
mail.freemailer.tld OK
domain.com OK
email@domain.com OK
email@ OK

After you are dome editing the file, you must run:

root@endian~#: postmap /etc/postfix/rbl_override

Let Postfix Always Read The While List

To make opstfix always read the settings from the file you have just edited, open file /etc/postfix/main.cf.tmpl and search for the smtpd_client_restrictions and smtpd_sender_restrictions sections.

root@endian:~ # nano /etc/postfix/main.cf.tmpl

Add the line check_client_access hash:/etc/postfix/rbl_override to that section, right after the check_client_access and check_sender_access options, but before the first blacklist.

For example, if the section smtpd_client_restrictions looks like this:

smtpd_client_restrictions = 
     check_client_access cidr:/etc/postfix/client_rules,
     permit_mynetworks,
     permit_sasl_authenticated,
#if $RBLS != ''
#for $rbl in $RBLS
  #if $rbl.TYPE == 'IP'
     reject_rbl_client $rbl.HOST,
  #else
     reject_rhsbl_client $rbl.HOST,
  #end if
#end for
#end if

You should modify it to look as follows:

smtpd_client_restrictions = 
     check_client_access cidr:/etc/postfix/client_rules,
     check_client_access hash:/etc/postfix/rbl_override,
     permit_mynetworks,
     permit_sasl_authenticated,
#if $RBLS != ''
#for $rbl in $RBLS
  #if $rbl.TYPE == 'IP'
     reject_rbl_client $rbl.HOST,
  #else
     reject_rhsbl_client $rbl.HOST,
  #end if
#end for
#end if

Remember also to modify the smtpd_sender_restrictions section in the same way by adding the line check_client_access hash:/etc/postfix/rbl_override.

That's it! Restart Postfix, and you're done!
root@endian~#: jobcontrol restart postfix

If your system does not yet feature jobcontrol, use the legacy command:

root@endian~#: restartsmtpscan

Postix will apply the new settings and stop blocking legitimate emails from the whitelisted mailservers and you should now be able to receive emails from them.

Questo articolo ti è stato utile?
Utenti che ritengono sia utile: 1 su 1
Altre domande? Invia una richiesta

Commenti