## - To whitelist a server ther a multiple possibilities ## - ## ----- ## - 1.) ## - ## - To whitelist a server (name or ip-adress) or network , create the file ## - /etc/postfix/rbl_override ## - where you list all IP addresses or host names ## - (one per line!) that you want to whitelist: ## - ## - 1.2.3.4 OK ## - mail.freemailer.tld OK ## - 194.25.134/24 OK ## - ... ## - vim /etc/postfix/rbl_override ## - After you've created/modified that file, you must run: ## - postmap btree:/etc/postfix/rbl_override #postmap /etc/postfix/rbl_override ## - Next open ## - /etc/postfix/main.cf ## - and search for the smtpd_recipient_restrictions parameter. ## - Add check_client_access hash:/etc/postfix/rbl_override to ## - that parameter, after reject_unauth_destination, but before ## - the first blacklist. ## - ## - smtpd_recipient_restrictions = ## - ... ## - permit_sasl_authenticated, ## - check_client_access btree:/etc/postfix/rbl_override, ## - #check_client_access hash:/etc/postfix/rbl_override, ## - reject_rbl_client zen.spamhaus.org, ## - ... ## - Now restart postfix: ## - /etc/init.d/postfix restart ## ---- ## - Notice: ## - there are also whitelist dns service, like list.dnswl.org ## - see: http://www.dnswl.org/ ## - requesting such a service works the same as requesting a ## - blacklist server like ## - ## - for example the server 194.25.134.17 (one mailserver from t-online) ## - is blacklisted at bl.spamcop.net. that means the request ## - ## - chris@sol:~$ dig 17.134.25.194.bl.spamcop.net ## - ## - results in an ANSWER SECTION like ## - ## - 17.134.25.194.bl.spamcop.net. 2100 IN A 127.0.0.2 ## - ## - ( or using host command: ## - chris@sol:~$ host 17.134.25.194.bl.spamcop.net ## - 17.134.25.194.bl.spamcop.net has address 127.0.0.2 ) ## - ## - in contrast to "not found: 3(NXDOMAIN)" in case of a not blacklistet one ## - ## - ## - That t-online server is also (white-)listed at the at list.dnswl.org and ## - so, the request ## - ## - chris@sol:~$ dig 17.134.25.194.list.dnswl.org ## - ## - results in an ANSWER SECTION like: ## - ## - 17.134.25.194.list.dnswl.org. 12506 IN A 127.0.5.0 ## - ## - or rather ## - chris@sol:~$ host 17.134.25.194.list.dnswl.org ## - 17.134.25.194.list.dnswl.org has address 127.0.5.0 ## - ## - ## ----- ## ----- ## - 2.) ## - ## - You can question more than one blacklist server an also whitelist server, ## - weight the single result and make a decision after getting the all-overresult ## - ## - Do so, use parameters "postscreen_dnsbl_sites and" ## - "postscreen_dnsbl_threshold". ## - ## - ## - Example configuration: ## - ## - postscreen_dnsbl_sites = ## - one.blacklist.server.com*2 ## - another.blacklist.server.com ## - third.blacklist.server.com ## - list.dnswl.org*-3 ## - postscreen_dnsbl_threshold=1 # (the default value) ## - ## - if the requested incomming-ip-adress matches the first blacklist server, ## - you get a result of "2" (because the entry for that blacklict server is ## - weighted with 2). ## - if the requested ip-address matches the second or the third blacklist ## - server the result is each with "1" ## - if the requested ip-address matches the whitelist server, the result ## - is "-3" ## - ## - assuming all servers matches, than the all over result is "2+1+1-3=1". ## - because 1 is equal or grater than "1" (the value of the parameter of ## - "postscreen_dnsbl_threshold"), the concerning the concerning network ## - connection will be dropped. ## - ## - assuming the first and second blacklist server and also the whitelist ## - server matches the concerning the all over result is "2+1-3=0". ## - Because 0 is lower then 1 (the value of the parameter ## - "postscreen_dnsbl_threshold"). the connection will be accepted (at that ## - point) ## - ## - ## - See "man postconf" or site ## - http://www.postfix.org/postconf.5.html for advanced usage ## - ## ----- ## ----- ## - 3.) ## - ## - you can use postfix conf parameter "permit_dnswl_client" ## - in main.cf ## - ## - here is an example using list.dnswl.org ## - ## - smtpd_recipient_restrictions = ## - ... ## - permit_sasl_authenticated, ## - permit_dnswl_client list.dnswl.org, ## - reject_rbl_client someblacklist.example.com, ## - reject_rbl_client moreblacklist.example.com, ## - permit_mynetworks, ## - ... ## - ## - To override only for "low", "med" and "hi" (see ## - http://www.dnswl.org/tech): ## - ## - smtpd_recipient_restrictions = ## - ... ## - permit_sasl_authenticated, ## - permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], ## - reject_rbl_client someblacklist.example.com, ## - permit_mynetworks, ## - reject_unauth_destination ## - ## ----- ## - Notice: ## - ## - I have configured some white list entries d.c.b.a.dnswl.oopen.de. ## - see file /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone on ## - a.ns.oopen.de ## - ## - i.e. to avoid blacklisting t-online servers 194.25.134.*, i added ## - the followig entry ## - +*.134.25.194.dnswl.oopen.de:127.0.0.2:4300 ## - ## - i added also a concerning TXT record (not needed): ## - '*.134.25.194.dnswl.oopen.de:T-Online:4300 ## - ## - concernin entry in smtpd_recipient_restrictions of main.cf: ## - ## - ... ## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use ## - # Whitelist (configured on a.ns.oopen.de ## - # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) ## - permit_dnswl_client dnswl.oopen.de, ## - # Blacklists ## - reject_rbl_client zen.spamhaus.org, ## - reject_rbl_client ix.dnsbl.manitu.net, ## - ...