Ping a Specific Port

Question

Sfisioza

Asked: 2017-10-05 05:02:15 +0800 CST2017-10-05 05:02:15 +0800 CST 2017-10-05 05:02:15 +0800 CST

How to test postfix DNSBL whitelist?

772

How can I test if my postfix whitelist works correctly (assuming I don't have access to any address currently listed on dnsbl).

I'm not sure if my whitelist works ok.

Here's my config:

smtpd_client_restrictions =
   permit_mynetworks,
   check_client_access hash:/etc/postfix/access,
   reject_rbl_client zen.spamhaus.org,
   permit

smtpd_sender_restrictions =
   permit_mynetworks,
   check_client_access hash:/etc/postfix/access,
   reject_unknown_sender_domain,
   reject_non_fqdn_sender,
   reject_unknown_address,
   reject_sender_login_mismatch,
   reject_unauth_pipelining,
   permit

smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client dnsbl-1.uceprotect.net,
   permit

/etc/postfix/access

# dnsbl whitelist

# some client
74.125.82.55 OK
[email protected] OK
example.com OK

# After you are done editing the file, you must run:
# postmap /etc/postfix/access
# and restart postfix

1 Answers

Voted

anx · Answer 1 · 2017-10-09T14:56:30+08:00

You want to receive a mail that would be rejected based on one of your configured RBLs. You can do so by using a service one of your RBL provider recommends in their FAQ.

In case of crynwr, you can send them an email (using plaintext smtp, which may not be your mail servers default). They will then send you an answer, which should be blocked.

You then want to whitelist the IP of that test service they mention it on their site, but feel free to double check in your logs from the first test. Then run the test again. The received answer should then not be blocked.

That proves the functionality of your whitelist.

Mind that check_client_access and check_helo_access are entirely different things.

Because mail clients occasionally (the bad guys: almost always) lie about who they are, depending on whether you use smtpd_helo_required+reject_unknown_helo_hostname or not may greatly impact how much the effective behaviour matches your expectations of who should be able to ignore RBLs.

How to test postfix DNSBL whitelist?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?