Postfix not rejecting manually blacklisted domain with check_sender_access configuration

Question

I'm running a postfix server (2.9.6) on ubuntu 12.04.05 LTS and spam-mails from a certain domain simply won't get rejected despite having an explicit check_client_access list where the domain in question example.com is listed in. I tried my reject-setup with a well known mail server (gmx.net) in the same override file and it blocked incoming mails from that server as expected, but for some reason mails from example.com simply go through. I checked if I made a mistake and somehow whitelisted it somewhere but I just can't find anything of the sort.

The full blockingrule entries in the main.cf are as follows:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 warn_if_reject reject_unknown_helo_hostname,
 regexp:/etc/postfix/override_helo_access.regexp
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk blacklists, permit_sasl_authenticated
smtpd_recipient_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 check_client_access hash:/etc/postfix/override_client_access,
 check_sender_access hash:/etc/postfix/override_sender_access,
 reject_unlisted_sender,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_unknown_recipient_domain,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname,
 reject_unauth_pipelining,
 reject_unauth_destination

smtpd_client_restrictions and smtpd_sender_restrictions (the other blacklist) seem to be handled by plesk so I didn't change anything there.

the override_client_access file looks like this (excerpt):

spamdomain.org REJECT
.spamdomain2.com REJECT
example.com REJECT
.example.com REJECT
spamdomain.net REJECT
12.12.12.12 REJECT

I made sure that there are no acciedental whitelisting rules for the example.com domain and any subdomains or it's corresponding IP address in this file.

the override_sender_access file has only emailaddresses listed for whitelisting:

bla@foo.de OK
foo@bla.de OK
etc@etc.de OK

This file has only very few emails listed which I all checked so it can't be the cause for accidental whitelisting.

Of course after every update of any of these files I created the new hash db with the postmap override_sender_access or postmap override_client_access command and then did a postfix reload. As I already mentioned I tested this setup by simply adding ".gmx.net REJECT" at the end of the override_client_access file and then sending a mail to my mailserver from the gmx-domain and the rejection worked as expected.

Here's the logfile snippet from when the latest spam mail went through just a few hours ago with all the corresponding settings/files being unchanged since a few days:

Jul 24 00:39:35 postfix/smtpd[21873]: connect from mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/smtpd[21873]: 0B6A7468A8E: client=mail.example.com[123.123.123.123]
Jul 24 00:39:36 postfix/cleanup[22020]: 0B6A7468A8E: message-id=
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'limit-out' handler
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: handlers_stderr: SKIP
Jul 24 00:39:36 /usr/lib/plesk-9.0/psa-pc-remote[32672]: SKIP during call 'check-quota' handler
Jul 24 00:39:37 postfix/smtpd[21873]: disconnect from mail.example.com[123.123.123.123]
Jul 24 00:39:37 postfix/qmgr[13047]: 0B6A7468A8E: from=, size=362302, nrcpt=1 (queue active)
Jul 24 00:39:37 postfix-local[22026]: postfix-local: from=spam@example.com, to=myemail@address.com, dirname=/var/qmail/mailnames
Jul 24 00:39:39 spamc[22030]: skipped message, greater than max message size (256000 bytes)
Jul 24 00:39:39 dovecot: service=lda, user=myemail@address.com, ip=[]. msgid=: saved mail to INBOX
Jul 24 00:39:39 postfix/pipe[22025]: 0B6A7468A8E: to=, relay=plesk_virtual, delay=3.4, delays=1.6/0.01/0/1.8, dsn=2.0.0, status=sent (delivered via plesk_virtual_service)
Jul 24 00:39:39 postfix/qmgr[13047]: 0B6A7468A8E: removed

Here's the full postconf -n output aswell in case it's helpful for determining the problem:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 20h
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
maximal_queue_lifetime = 1d
message_size_limit = 536870912
mydestination = localhost.isp.net, localhost, localhost.localdomain
myhostname = mydomain.com
mynetworks = , 127.0.0.0/8, [::1]/128
myorigin = /etc/mailname
non_smtpd_milters =
plesk_virtual_destination_recipient_limit = 1
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
smtp_send_xforward_command = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, warn_if_reject reject_unknown_helo_hostname, regexp:/etc/postfix/override_helo_access.regexp
smtpd_milters = inet:127.0.0.1:12768
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/override_client_access, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/override_sender_access, reject_unlisted_sender, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_unauth_pipelining, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_slmaps_exceptions.cf, hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_soft_error_limit = 2
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_medium_cipherlist = HIGH:!aNULL:!MD5
transport_maps = , hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

If anyone can point me in the right direction of solving this mystery I'd be very grateful!

Postfix not rejecting manually blacklisted domain with check_sender_access configuration

Answers (1)

Related Questions