install/postfix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
postfix/DOC/whitelist_host_ip_address.txt

186 lines
5.6 KiB
Plaintext
Raw Permalink Blame History

## - To whitelist a server ther a multiple possibilities
## -
## -----
## - 1.)
## -
## - To whitelist a server (name or ip-adress) or network , create the file
## - /etc/postfix/rbl_override
## - where you list all IP addresses or host names
## - (one per line!) that you want to whitelist:
## -
## - 1.2.3.4 OK
## - mail.freemailer.tld OK
## - 194.25.134/24 OK
## - ...
## -
vim /etc/postfix/rbl_override
## - After you've created/modified that file, you must run:
## -
postmap btree:/etc/postfix/rbl_override
#postmap /etc/postfix/rbl_override
## - Next open
## - /etc/postfix/main.cf
## - and search for the smtpd_recipient_restrictions parameter.
## - Add check_client_access hash:/etc/postfix/rbl_override to
## - that parameter, after reject_unauth_destination, but before
## - the first blacklist.
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - check_client_access btree:/etc/postfix/rbl_override,
## - #check_client_access hash:/etc/postfix/rbl_override,
## - reject_rbl_client zen.spamhaus.org,
## - ...
## - Now restart postfix:
## -
/etc/init.d/postfix restart
## ----
## - Notice:
## - there are also whitelist dns service, like list.dnswl.org
## - see: http://www.dnswl.org/
## - requesting such a service works the same as requesting a
## - blacklist server like
## -
## - for example the server 194.25.134.17 (one mailserver from t-online)
## - is blacklisted at bl.spamcop.net. that means the request
## -
## - chris@sol:~$ dig 17.134.25.194.bl.spamcop.net
## -
## - results in an ANSWER SECTION like
## -
## - 17.134.25.194.bl.spamcop.net. 2100 IN A 127.0.0.2
## -
## - ( or using host command:
## - chris@sol:~$ host 17.134.25.194.bl.spamcop.net
## - 17.134.25.194.bl.spamcop.net has address 127.0.0.2 )
## -
## - in contrast to "not found: 3(NXDOMAIN)" in case of a not blacklistet one
## -
## -
## - That t-online server is also (white-)listed at the at list.dnswl.org and
## - so, the request
## -
## - chris@sol:~$ dig 17.134.25.194.list.dnswl.org
## -
## - results in an ANSWER SECTION like:
## -
## - 17.134.25.194.list.dnswl.org. 12506 IN A 127.0.5.0
## -
## - or rather
## - chris@sol:~$ host 17.134.25.194.list.dnswl.org
## - 17.134.25.194.list.dnswl.org has address 127.0.5.0
## -
## -
## -----
## -----
## - 2.)
## -
## - You can question more than one blacklist server an also whitelist server,
## - weight the single result and make a decision after getting the all-overresult
## -
## - Do so, use parameters "postscreen_dnsbl_sites and"
## - "postscreen_dnsbl_threshold".
## -
## -
## - Example configuration:
## -
## - postscreen_dnsbl_sites =
## - one.blacklist.server.com*2
## - another.blacklist.server.com
## - third.blacklist.server.com
## - list.dnswl.org*-3
## - postscreen_dnsbl_threshold=1 # (the default value)
## -
## - if the requested incomming-ip-adress matches the first blacklist server,
## - you get a result of "2" (because the entry for that blacklict server is
## - weighted with 2).
## - if the requested ip-address matches the second or the third blacklist
## - server the result is each with "1"
## - if the requested ip-address matches the whitelist server, the result
## - is "-3"
## -
## - assuming all servers matches, than the all over result is "2+1+1-3=1".
## - because 1 is equal or grater than "1" (the value of the parameter of
## - "postscreen_dnsbl_threshold"), the concerning the concerning network
## - connection will be dropped.
## -
## - assuming the first and second blacklist server and also the whitelist
## - server matches the concerning the all over result is "2+1-3=0".
## - Because 0 is lower then 1 (the value of the parameter
## - "postscreen_dnsbl_threshold"). the connection will be accepted (at that
## - point)
## -
## -
## - See "man postconf" or site
## - http://www.postfix.org/postconf.5.html for advanced usage
## -
## -----
## -----
## - 3.)
## -
## - you can use postfix conf parameter "permit_dnswl_client"
## - in main.cf
## -
## - here is an example using list.dnswl.org
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - permit_dnswl_client list.dnswl.org,
## - reject_rbl_client someblacklist.example.com,
## - reject_rbl_client moreblacklist.example.com,
## - permit_mynetworks,
## - ...
## -
## - To override only for "low", "med" and "hi" (see
## - http://www.dnswl.org/tech):
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
## - reject_rbl_client someblacklist.example.com,
## - permit_mynetworks,
## - reject_unauth_destination
## -
## -----
## - Notice:
## -
## - I have configured some white list entries d.c.b.a.dnswl.oopen.de.
## - see file /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone on
## - a.ns.oopen.de
## -
## - i.e. to avoid blacklisting t-online servers 194.25.134.*, i added
## - the followig entry
## - +*.134.25.194.dnswl.oopen.de:127.0.0.2:4300
## -
## - i added also a concerning TXT record (not needed):
## - '*.134.25.194.dnswl.oopen.de:T-Online:4300
## -
## - concernin entry in smtpd_recipient_restrictions of main.cf:
## -
## - ...
## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
## - # Whitelist (configured on a.ns.oopen.de
## - # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
## - permit_dnswl_client dnswl.oopen.de,
## - # Blacklists
## - reject_rbl_client zen.spamhaus.org,
## - reject_rbl_client ix.dnsbl.manitu.net,
## - ...
Reference in New Issue View Git Blame Copy Permalink