Results 1 to 10 of 10

Thread: RBL whitelisting individual addresses?

  1. #1
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default RBL whitelisting individual addresses?

    SORBS and other RBLs we use block legitimate emails on occasion, although the ones being blocked are from legitimately blacklisted freemail servers (googles, yahoos, etc).

    My main question here is, is the postfix_rbl_override only for domains, or can individual addresses be listed here as well?
    example
    yahoo.com OK <-- This works for us
    example@yahoo.com OK <-- Does not seem to be working for us

    When I get notified of these addresses I add them to both RBLs and SpamAssassin whitelists
    /opt/zimbra/conf/postfix_rbl_override
    /opt/zimbra/conf/salocal.cf.in

    Here is my /conf/zmconfigd/smtpd_recipient_restrictions.cf

    %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_po
    rt@@%%
    reject_non_fqdn_recipient
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    reject_unlisted_recipient
    %%contains VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unixrivate/policy%%
    permit

    I then run ...
    postmap /opt/zimbra/conf/postfix_rbl_override
    zmamavisdctl restart & zmmtactl restart

    Thank you for your help!

  2. #2
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default

    ....

    Is whitelisting individual addresses in Postfix working for anyone else?

  3. #3
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default

    After a week of testing, you cannot whitelist individual addresses here for RBLs. Domains and IPs work A-OK.

    Hopefully thing information will help someone in the future. Still looking into how to RBL Whitelist individual addresses with no success.

  4. #4
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default

    In further attempts to bring light to the elusive Zimbra 8 RBL individual address whitelist I found this in another thread... Which appears to also be wrong.

    I created
    /opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS

    In this file it looks something like this,
    Code:
    #     Current "postfix_rbl_override" is on a domain level.
    #     This new /opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS is
    #     intended for individual email addresses.
    #
    #     Procedure is to ...
    #      Edit  
    #        "vi /opt/zimbra/conf/postfix_rbl_override"
    #      Update 
    #         "postmap /opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS"
    #      Restart
    #        "zmmtactl restart" and "zmamavisdctl restart"
    #
    #     This file then needs to be added to the beginning of ...
    #        "/opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf"
    #    
    #     Which will look something like ...          
    #        %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_port@@%%
    #        reject_non_fqdn_recipient
    #        check_recipient_access hash:/opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS
    #        check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    #        reject_unlisted_recipient
    #        %%contains VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
    #        %%contains VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
    
    myemail@freemail.com OK
    youremail@freemail.com OK
    etc@etc.com OK
    I then
    postmap /opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS

    then
    zmmtactl restart
    zmamavisdctl restart

    Here is my /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
    Code:
    %%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:localhost:@@cbpolicyd_bind_po
    rt@@%%
    reject_non_fqdn_recipient
    check_recipient_access hash:/opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS
    check_client_access hash:/opt/zimbra/conf/postfix_rbl_override
    reject_unlisted_recipient
    %%contains VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
    %%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
    permit

    However, this is not Whitelisting the individual email addresses in the WHITELIST file

    Maybe, just maybe, I will receive a response as to whether this is possible.

  5. #5
    Join Date
    Mar 2011
    Posts
    11
    Rep Power
    4

    Default

    Hi Brianw,

    in general: the whitelisting of individual addresses should work the same way like for domains. Zimbra is simply using Postfix' access restrictions (man 5 access or Postfix manual - access(5)).
    I'm using this on plain Postfix systems for years without any problem.

    I.

    You wrote:
    I then
    postmap /opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS
    then
    zmmtactl restart
    zmamavisdctl restart
    Could you please post the resulting /opt/zimbra/postfix/conf/main.cf or even better the output of 'postconf -n | grep smtpd_recipient_restrictions'?
    Because in Zimbra 8 and at least until 8.0.4 I found a bug, which I reported here: Bug 82984 ? SASL authenticated mail submitted to port 25 from remote networks is incorrectly checked/rejected by Zimbra Server's DNSBL checks
    And it seems, you have the same problem. So let's see, if your effective smtpd_recipient_restrictions parameter is correct.

    II.

    But if I understand you correctly: you want to whitelist e-mail senders, am I right? In this case, check_recipient_access is the wrong table.
    Instead you should use something like this:

    check_sender_access hash:/opt/zimbra/conf/RBL_WHITELIST_SENDER_ADDRESS

    As an example from my configuration:

    - in main.cf:
    [...]
    check_sender_access hash:/etc/postfix/access_sender,
    [...]

    - access_sender:
    [...]
    foo@example.com reject
    bar@example.com permit_auth_destination,reject
    example.net permit_auth_destination,reject
    example.org reject

    This has the following effect:

    - mails from 'foo@example.com' are rejected
    - mails from 'bar@example.com' are accepted (if they are to my destination) = whitelisted
    - mails from the whole domain 'example.net' are accepted (if they are to my destination) = whitelisted
    - mails from the whole domain 'example.org' are rejected


    Hope this helps.

    Regards
    mwche

  6. #6
    Join Date
    Mar 2011
    Posts
    11
    Rep Power
    4

    Default

    Two weeks ago or so I sent a reply to this thread but unfortunately the moderators didn't release it.
    Was something wrong with my post?

    Regards

    Now a moderator released my previous post - thank you very much!
    Last edited by mwche; 11-04-2013 at 07:12 AM.

  7. #7
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default

    [zimbra@webmail ~]$ postconf -n | grep smtpd_recipient_restrictions
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, check_recipient_access hash:/opt/zimbra/conf/RBL_WHITELIST_EMAIL_ADDRESS, check_client_access hash:/opt/zimbra/conf/postfix_rbl_override, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, permit

    I took out our other 4 RBLs which sometimes catch false positives (even though the Google/Yahoo server really is blacklisted). They were spamhaus, spamcop, sorbs and abuseat. I'd like to add them back in if I can whitelist individual addresses coming in.

  8. #8
    Join Date
    Mar 2011
    Posts
    11
    Rep Power
    4

    Default

    Thanks for the reply.
    Did you already try what I wrote in paragraph II? I assume you didn't as I look at your postconf -n output. There's no 'check_sender_access ...' Or did I misunderstand you?

    Regards,
    mwche

  9. #9
    Join Date
    Feb 2013
    Location
    NY
    Posts
    23
    Rep Power
    2

    Default

    If I understand correctly, I am currently using check_recipient_access where I should be using check_sender_access? Check sender access will check emails being sent to my server, not emails being sent from my server?

  10. #10
    Join Date
    Mar 2011
    Posts
    11
    Rep Power
    4

    Default

    Quote Originally Posted by Brianw View Post
    If I understand correctly, I am currently using check_recipient_access where I should be using check_sender_access?
    If I understand your intention
    My main question here is, is the postfix_rbl_override only for domains, or can individual addresses be listed here as well?
    example
    yahoo.com OK <-- This works for us
    example@yahoo.com OK <-- Does not seem to be working for us
    correctly: yes. If you would use 'check_sender_access' then you have a map with sender addresses which shall be whitelisted. See the example in my former post.

    Check sender access will check emails being sent to my server, not emails being sent from my server?
    From Postfix' point of view: all these checks are done with all mails that are received by smtpd (that's why this parameter is called 'smtpd_recipient_restrictions') - regardless of whether the mail is going from an internal sender to an external recipient or vice versa.
    But this doesn't matter nor is it a problem at all. That's simply the usual behavior.

    Regards
    mwche

Similar Threads

  1. whitelisting IPs with RBLs
    By cirrhus9_JJ in forum Administrators
    Replies: 8
    Last Post: 10-01-2013, 12:16 PM
  2. Replies: 2
    Last Post: 09-22-2008, 08:01 AM
  3. UI for whitelisting?
    By jameztcc in forum Installation
    Replies: 1
    Last Post: 05-09-2007, 09:06 PM
  4. Block domains and individual email addresses
    By mrupright in forum Administrators
    Replies: 5
    Last Post: 02-18-2007, 04:16 PM
  5. Whitelisting
    By techdude550 in forum Administrators
    Replies: 9
    Last Post: 06-14-2006, 01:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •