Applies to Platform: UTM 2.4, UTM 2.5, UTM 3.0
Last updated: 14th May 2014
This lesson guides you in the configuration of the white lists for smtp server.
Introduction
If you have enabled the Proxy SMTP and use Realtime blacklist (RBL) on your Endian UTM Appliance to block spam, you probably encountered this problem: From time to time your customers complain that they cannot receive emails from certain mailservers. Most often this happens because those mailservers were exploited to send out spam and therefore were blacklisted. This short guide shows how you can whitelist a mail server in Postfix, to help your customers receive legitimate emails even from a mailserver that happend to be blacklisted.
Recognise a Legitimate Mailserver
If a blacklisted server tries to send mail to your server, you should find something like this in your mail log:
SMTP error from remote mail server after RCPT TO:<bla@example.com>: host mail.example.com [10.10.10.10]: 554 5.7.1 Service unavailable;
Client host [10.10.10.10] blocked using dnsbl.sorbs.net;
Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?10.10.10.10
In this example, the mailserver 10.10.10.10 is blacklisted and emails sent by it are therefore blocked.
Add a Domain in Postfix's White List
Legitimate mailservers can be listed in the /etc/postfix/rbl_override file. Hence, to whitelist that server, edit that file (if it does not yet exist, it will be created):
root@endian:~ # nano /etc/postfix/rbl_override
Note
Then, populate it with all IP addresses or host names, one per line, with the OK at the end of line as in the example:
10.10.10.10 OK 12.23.34.45 OK mail.freemailer.tld OK
domain.com OK
email@domain.com OK
email@ OK
After you are dome editing the file, you must run:
root@endian~#: postmap /etc/postfix/rbl_override
Let Postfix Always Read The While List
To make opstfix always read the settings from the file you have just edited, open file /etc/postfix/main.cf.tmpl and search for the smtpd_client_restrictions and smtpd_sender_restrictions sections.
root@endian:~ # nano /etc/postfix/main.cf.tmpl
Add the line check_client_access hash:/etc/postfix/rbl_override to that section, right after the check_client_access and check_sender_access options, but before the first blacklist.
For example, if the section smtpd_client_restrictions looks like this:
smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/client_rules,
permit_mynetworks,
permit_sasl_authenticated,
#if $RBLS != ''
#for $rbl in $RBLS
#if $rbl.TYPE == 'IP'
reject_rbl_client $rbl.HOST,
#else
reject_rhsbl_client $rbl.HOST,
#end if
#end for
#end if
You should modify it to look as follows:
smtpd_client_restrictions =
check_client_access cidr:/etc/postfix/client_rules,
check_client_access hash:/etc/postfix/rbl_override,
permit_mynetworks,
permit_sasl_authenticated,
#if $RBLS != ''
#for $rbl in $RBLS
#if $rbl.TYPE == 'IP'
reject_rbl_client $rbl.HOST,
#else
reject_rhsbl_client $rbl.HOST,
#end if
#end for
#end if
Remember also to modify the smtpd_sender_restrictions section in the same way by adding the line check_client_access hash:/etc/postfix/rbl_override.
root@endian~#: jobcontrol restart postfix
If your system does not yet feature jobcontrol, use the legacy command:
root@endian~#: restartsmtpscan
Postix will apply the new settings and stop blocking legitimate emails from the whitelisted mailservers and you should now be able to receive emails from them.
Commenti