DevHeads.net

Bypass restrictions for postmaster/abuse

Hello all,

Is there a best practices for exempting the postmaster/abuse address
from certain smtpd_mumble_restrictions?

For example, we see some small businesses who have trouble getting past
reject_unknown_helo_hostname and reject_unknown_client_hostname and if
we reach out to them, we need to allow their reply to our postmaster
address to get delivered, obviously bypassing the checks that originally
caused the rejections.

I think each organization will have restrictions that they deem
important enough to place even before exemptions for postmaster, but I'd
like to learn what other Postfix administrators have done, how they've
done it, and if there is commonly agreed upon way to approach this.

Thank you!

Comments

Re: Bypass restrictions for postmaster/abuse

By Noel Jones at 03/08/2017 - 19:23

On 3/8/2017 2:53 PM, MRob wrote:

The procedure to whitelist a recipient is to use a
check_recipient_access map prior to whatever rule might reject the
mail. If you have restrictions in each of the smtpd_*_restrictions
sections, then you must add your whitelist in each section.
Exactly how you order your restrictions and where you put the
whitelist may vary depending on your needs.

Simple example assuming all your restrictions are in
smtpd_recipient_restrictions:

# /etc/postfix/whitelist_recipients
<a href="mailto: ... at example dot com"> ... at example dot com</a> OK

# main.cf
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/whitelist_recipients
reject_unknown_...
reject_rbl_client ...
... more restrictions ...

Note: make sure your whitelist comes AFTER reject_unauth_destination
to prevent open-relay accidents.
<a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger" title="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</a>

-- Noel Jones

Re: Bypass restrictions for postmaster/abuse

By mrobti at 03/09/2017 - 16:44

On 2017-03-08 15:23, Noel Jones wrote:
Thanks, Noel. Are there any admins with opinions where in the order is
best for postmaster/abuse whitelisting?

Re: Bypass restrictions for postmaster/abuse

By dev rob0 at 03/09/2017 - 18:35

On Thu, Mar 09, 2017 at 12:44:04PM -0800, MRob wrote:
My opinion is "don't do it." I use smtpd_reject_footer to point to
my web page for frustrated human senders. If they're not smart
enough to read the fine error message they got, they're going to
struggle with fixing the problem, also.

One thing my page suggests is that they can contact me through any
typical freemail services, such as gmail, Yahoo, and GMX. Which is
true: my postscreen and smtpd restrictions do not block them.

Re: Bypass restrictions for postmaster/abuse

By mrobti at 03/09/2017 - 20:12

On 2017-03-09 14:35, /dev/rob0 wrote:
OK, that's a great idea. Thank you for the tip. Is this quite common?

Re: Bypass restrictions for postmaster/abuse

By dev rob0 at 03/10/2017 - 01:03

On Thu, Mar 09, 2017 at 04:12:32PM -0800, MRob wrote:
I can't speak to what is common, nor do I think anyone truly can.
But I can tell you my story.

I tried that, once, bypassing restrictions for my postmaster@ and
abuse@ addresses. Of all the addresses I have, my postmaster@
addresses are the most heavily spammed.

My site is small but it cannot be exclusive, because it's a free
software project with worldwide users and contributors. I've only
seen a handful of actual, legitimate messages to postmaster. (And
then a few non-spam that should not have been sent to postmaster,
also.)

Sure, you can do what you want, and in theory it sounds prudent to
exempt postmaster & abuse from spam controls, but in practice, it
turns out only to be a way to get yourself a lot more spam.

I don't have enough rejections to be able to gauge what others are
doing at their sites.

Re: Bypass restrictions for postmaster/abuse

By Viktor Dukhovni at 03/10/2017 - 01:41

At a small enough domain, one can take the view that a RBL listing
in SpamHaus is the sender's problem to resolve, since they'll have
issues sending email to half the planet. Therefore, if you're only
blocking the same things that everyone else does, you don't need
a whitelist. If you're maintaining manual filters beyond what's
common, a whitelist for postmaster may be prudent for such filters.

Re: Bypass restrictions for postmaster/abuse

By Ansgar Wiechers at 03/09/2017 - 05:52

On 2017-03-08 Noel Jones wrote:
This is probably just personal preference, but in addition to
whitelisting postmaster recipients I put a client blacklist before the
whitelist where I block all clients who deemed sending spam to a
postmaster address a good idea.

Regards
Ansgar Wiechers