1

Topic: Trying to use RBL Overrides to whitelist IP Range.

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.5 64bit
- Related log if you're reporting an issue:
====

Hello, I would like to use /etc/postfix/rbl_override to whitelist ip ranges but it seems to have no effect. I have added "check_client_access hash:/etc/postfix/rbl_override" to smtpd_recipient_restrictions in /etc/postfix/main.cf:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override, check_policy_service inet:127.0.0.1:10031


Do I have an error in my config?

Thanks!
Luke

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Trying to use RBL Overrides to whitelist IP Range.

*) Excuse me, what do you mean "override the whitelist IP range"?
*) What's the content in /etc/postfix/rbl_override?

3

Re: Trying to use RBL Overrides to whitelist IP Range.

ZhangHuangbin wrote:

*) Excuse me, what do you mean "override the whitelist IP range"?
*) What's the content in /etc/postfix/rbl_override?

Thanks for the reply...sorry I meant "use the rbl_override file to whitelist a range of IP addresses" following this method:

http://www.howtoforge.com/how-to-whitel … in-postfix

Basically I need a method to whitelist IP Addresses, I cannot do this with spamassassin whitelists, only domain names/email addresses.

contents of rbl_override file:

192.168.2.3 OK <- not sure why this is there...it's the IP address of the vm host that the spam filter runs on...
68.178.252.0/24 OK <- here's an example of what I need whitelisted

Thanks,
Luke

4

Re: Trying to use RBL Overrides to whitelist IP Range.

It's clear now.

Postfix checks restriction rules in order, so you can try to move 'check_client_access hash:/etc/postfix/rbl_override' to the front of 'reject_unauth_destination', then reload Postfix service and try again.

5

Re: Trying to use RBL Overrides to whitelist IP Range.

I've moved 'check_client_access hash:/etc/postfix/rbl_override' to the begining of smtpd_recipient_restrictions and also tried before 'reject_unauth_destination', according to logs amavis is still blocking it:

Mar 11 11:45:53 dmzsvr14v amavis[11591]: (11591-03) Blocked SPAM {DiscardedInternal,Quarantined}, LOCAL [68.178.252.56]:48259 [68.178.252.116] <removed for posting> -> <removed for posting>, quarantine: QMj6JGYSL-Ij

Both of those IP addresses were in my rbl_override list, should I be trying to whitelist this IP range elsewhere?

6

Re: Trying to use RBL Overrides to whitelist IP Range.

Whitelisting in Postfix means Postfix will bypass it, but Postfix still inject email into Amavisd for spam/virus scanning. To avoid this, try to use below one in your rbl_override file:

68.178.252.0/24 FILTER smtp-amavis:[127.0.0.1]:10025

7 (edited by lhiggs 2014-03-12 23:01:51)

Re: Trying to use RBL Overrides to whitelist IP Range.

Thanks, it looks as though email is still being injected into amavisd:

-------------
Mar 12 10:26:57 dmzsvr14v postfix/smtpd[24683]: connect from unknown[68.178.252.62]
Mar 12 10:26:58 dmzsvr14v postfix/smtpd[24683]: 089F9261B7: client=unknown[68.178.252.62]
Mar 12 10:26:58 dmzsvr14v postfix/cleanup[24690]: 089F9261B7: message-id=<20140312072707.5b4f25f727a5c5de20a4ea30b6d3b795.88d81a8a07.wbe@email22.secureserver.net>
Mar 12 10:26:58 dmzsvr14v postfix/qmgr[24679]: 089F9261B7: from=<removed>, size=1088, nrcpt=1 (queue active)
Mar 12 10:27:00 dmzsvr14v amavis[24594]: (24594-01) Blocked SPAM {DiscardedInternal,Quarantined}, LOCAL [68.178.252.62]:59125 [68.178.252.116] <removed> -> <removed>, quarantine: jMu9K3eZC-Mi, Message-ID: <20140312072707.5b4f25f727a5c5de20a4ea30b6d3b795.88d81a8a07.wbe@email22.secureserver.net>, mail_id: jMu9K3eZC-Mi, Hits: 1002.381, size: 1088, 2559 ms
Mar 12 10:27:01 dmzsvr14v postfix/smtp[24694]: 089F9261B7: to=<removed>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.1, delays=0.46/0.01/0.01/2.7, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=24594-01 - spam)
--------------

Here is the smtpd_recipient_restrictions line in main.cf:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031


And here is what my rbl_override file looks like:

68.178.252.0/24 FILTER smtp-amavis:[127.0.0.1]:10025

I have also tried using each IP rather than the CIDR notation. From my own reading it sounds like we need to inject emails from there to postfix on port 10025 so it will bypass amavis? Thanks for your help.

Luke

8

Re: Trying to use RBL Overrides to whitelist IP Range.

Oops, my mistake. sorry.

Please try below steps instead to avoid Amavisd+SpamAssassin scanning.

1) Append port '10026' in Amavisd config file (/etc/amavisd/amavisd.conf), parameter "$inet_socket_port". For example:

$inet_socket_port = [10024, 10026];

2) Add below settings in Amavisd config file:

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {
   originating => 1,
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail  
};

3) Restart Amavisd service.
4) Update your rbl_override file, use port 10026 instead of 10025. For example:

68.178.252.0/24 FILTER smtp-amavis:[127.0.0.1]:10026

NOTE: If IP range doesn't work, try single IP address instead.

9

Re: Trying to use RBL Overrides to whitelist IP Range.

Hmm, still not able to get this to work, it's still blocking the spam test emails I'm sending. I made the above changes, here is what I now have in amavisd.conf:

$inet_socket_port = [10024, 9998, 10026];
# $inet_socket_port = [10024, 9998]; <---this was original, changed above to enable IP whitelisting with rbl_override file - LNH

# Added below to use rbl_override file for IP whitelisting - LNH

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {
   originating => 1,
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail
};

# end LNH add

I have a script that gen all 255 ip addresses in rbl_override:

68.178.252.1 FILTER smtp-amavis:[127.0.0.1]:10026
68.178.252.2 FILTER smtp-amavis:[127.0.0.1]:10026
...

Thanks,
luke

10

Re: Trying to use RBL Overrides to whitelist IP Range.

Does removing 'originating => 1,' work for you? Don't forget to restart Amavisd service.

11

Re: Trying to use RBL Overrides to whitelist IP Range.

Going back to your original suggestion of using 68.178.252.0/24 FILTER smtp-amavis:[127.0.0.1]:10025 in the rbl_override file does seem to bypass amavisd scanning, however I'm using this: $forward_method = 'smtp:[192.168.2.15]:25'; to forward emails to an exchange server and these don't get blocked as spam but do not get forwarded either.

What should I change to allow this forwarding?

Thanks so much!

12

Re: Trying to use RBL Overrides to whitelist IP Range.

Since my intention is to forward all legit email to a external exchange server I was able to have postfix forward email directly to exchange using this filter in my rbl_override file:

68.178.252 FILTER smtp:[192.168.2.15]:25

Not sure why this didn't click with me before but there it is.

NOTE: Postfix doesn't read 68.178.252.0/24 CIDR notation but it did read 68.178.252.

Thanks,
Luke

13

Re: Trying to use RBL Overrides to whitelist IP Range.

Again, Does removing 'originating => 1,' work for you? Don't forget to restart Amavisd service.

14

Re: Trying to use RBL Overrides to whitelist IP Range.

No, this code did not work for me:

/etc/amavisd/amavisd.conf:
$inet_socket_port = [10024, 9998, 10026];

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail
};

/etc/postfix/rbl_override:
68.178.252.1 FILTER smtp-amavis:[127.0.0.1]:10026
68.178.252.2 FILTER smtp-amavis:[127.0.0.1]:10026
...

Any thing sent from those IP addresses are still blocked as spam.

Thanks,
Luke

15

Re: Trying to use RBL Overrides to whitelist IP Range.

Did you see log like below one in Postfix log file? (Please ignore the mail address, hostname, helo name in below log.)

Mar 19 07:28:55 c6 postfix/smtpd[2284]: NOQUEUE: filter: RCPT from c6.iredmail.org[127.0.0.1]: <c6.iredmail.org[127.0.0.1]>: Client host triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<postmaster@a.cn> to=<postmaster@a.cn> proto=ESMTP helo=<c6>

It works for me with below steps:

1) Postfix main.cf:

smtpd_recipient_restrictions = ..., check_client_access hash:/etc/postfix/rbl_override, permit_mynetworks, permit_sasl_authenticated, ...

2) File /etc/postfix/rbl_override:

# I use private IP for testing.
172.16.244.1 FILTER smtp-amavis:[127.0.0.1]:10026

68.178.252.2 FILTER smtp-amavis:[127.0.0.1]:10026

Execute command to generate file used by Postfix:

# postmap hash:/etc/postfix/rbl_override

3) Amavisd config file:

$inet_socket_port = [10024, 9998, 10026];
$interface_policy{'10026'} = 'BYPASS';
$policy_bank{'BYPASS'} = {
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail 
};

Restart Amavisd service.

4) Sending email from my laptop which has IP address 172.16.244.1.
As mentioned above, you can see log "Client host triggers FILTER smtp-amavis:[127.0.0.1]:10026" in Postfix log file. And Amavisd bypasses spam+virus scanning for this email.

Works like as expected. I guess the problem is you have wrong order of restriction rules in Postfix smtpd_recipient_restrictions.

16 (edited by lhiggs 2014-03-19 04:01:19)

Re: Trying to use RBL Overrides to whitelist IP Range.

Strange, re configuring and using your information from last post works now. I must have had a typo somewhere. It does log the client host triggering the FILTER smtp-amavis:[127.0.0.1]:10026...in /var/log/maillog

Also it is now forwarding the email to the exchange server where it wasn't before when I did get it to trigger the filter, which is strange. I might have to do some further testing to find out about that. I appreciate your persistence, thank you!

Luke

17

Re: Trying to use RBL Overrides to whitelist IP Range.

Okay, my apologies, I was looking at the test email from earlier before I reconfigured...yes it is triggering the filter, still blocking as spam though:

/var/log/maillog:

Mar 18 16:04:52 dmzsvr14v postfix/smtpd[22609]: connect from unknown[68.178.252.172]
Mar 18 16:04:52 dmzsvr14v postfix/smtpd[22609]: NOQUEUE: filter: RCPT from unknown[68.178.252.172]: <unknown[68.178.252.172]>: Client host triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<admin@aquariandesign.com> to=<joe@lukehiggs.com> proto=ESMTP helo=<p3plwbeout23-06.prod.phx3.secureserver.net>
Mar 18 16:04:52 dmzsvr14v policyd: connection from: 127.0.0.1 port: 47146 slots: 0 of 2044 used
Mar 18 16:04:52 dmzsvr14v policyd: rcpt=5, whitelist=update, host=68.178.252.172 (unknown), from=admin@aquariandesign.com, to=joe@lukehiggs.com, size=858
Mar 18 16:04:52 dmzsvr14v postfix/smtpd[22609]: C626326DC2: client=unknown[68.178.252.172]
Mar 18 16:04:53 dmzsvr14v postfix/cleanup[22615]: C626326DC2: message-id=<20140318130457.5b4f25f727a5c5de20a4ea30b6d3b795.6a68713b04.wbe@email23.secureserver.net>
Mar 18 16:04:53 dmzsvr14v postfix/qmgr[10674]: C626326DC2: from=<admin@aquariandesign.com>, size=1089, nrcpt=1 (queue active)
Mar 18 16:04:54 dmzsvr14v postfix/smtpd[22622]: connect from dmzsvr14v.cblaw.int.coatsandbennett.com[127.0.0.1]
Mar 18 16:04:54 dmzsvr14v postfix/smtpd[22622]: 2CDF426DD7: client=dmzsvr14v.cblaw.int.coatsandbennett.com[127.0.0.1]
Mar 18 16:04:54 dmzsvr14v postfix/cleanup[22615]: 2CDF426DD7: message-id=<SAWLniRotjc3Nl@dmzsvr14v.cblaw.int.coatsandbennett.com>
Mar 18 16:04:54 dmzsvr14v postfix/qmgr[10674]: 2CDF426DD7: from=<postmaster@dmzsvr14v.cblaw.int.coatsandbennett.com>, size=3867, nrcpt=1 (queue active)
Mar 18 16:04:54 dmzsvr14v postfix/smtpd[22622]: disconnect from dmzsvr14v.cblaw.int.coatsandbennett.com[127.0.0.1]
Mar 18 16:04:54 dmzsvr14v amavis[10701]: (10701-05) Blocked SPAM {DiscardedInternal,Quarantined}, ORIGINATING LOCAL [68.178.252.172]:41977 [68.178.252.245] <admin@aquariandesign.com> -> <joe@lukehiggs.com>, quarantine: WLniRotjc3Nl, Message-ID: <20140318130457.5b4f25f727a5c5de20a4ea30b6d3b795.6a68713b04.wbe@email23.secureserver.net>, mail_id: WLniRotjc3Nl, Hits: 1002.381, size: 1089, 1090 ms
Mar 18 16:04:54 dmzsvr14v postfix/smtp[22619]: C626326DC2: to=<joe@lukehiggs.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.7, delays=0.5/0.01/0.01/1.2, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=10701-05 - spam)
Mar 18 16:04:54 dmzsvr14v postfix/qmgr[10674]: C626326DC2: removed

/etc/amavisd/amavisd.conf:

$inet_socket_port = [10024, 9998, 10026];

$interface_policy{'10026'} = 'BYPASS';

$policy_bank{'BYPASS'} = {
   bypass_spam_checks_maps   => [1],  # don't spam-check this mail
   bypass_banned_checks_maps => [1],  # don't banned-check this mail
   bypass_header_checks_maps => [1],  # don't header-check this mail
};

/etc/postfix/main.cf:
...
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/rbl_override, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031
...

/etc/postfix/rbl_override:

68.178.252 FILTER smtp-amavis:[127.0.0.1]:10026

After editing rbl_override file i have ran # postmap /etc/postfix/rbl_override and restarted postfix, also restarted amavisd service.

18

Re: Trying to use RBL Overrides to whitelist IP Range.

No idea yet, sorry.