How to test postfix DNSBL whitelist

postfixrblspam

How can I test if my postfix whitelist works correctly (assuming I don't have access to any address currently listed on dnsbl).

I'm not sure if my whitelist works ok.

Here's my config:

smtpd_client_restrictions =
   permit_mynetworks,
   check_client_access hash:/etc/postfix/access,
   reject_rbl_client zen.spamhaus.org,
   permit

smtpd_sender_restrictions =
   permit_mynetworks,
   check_client_access hash:/etc/postfix/access,
   reject_unknown_sender_domain,
   reject_non_fqdn_sender,
   reject_unknown_address,
   reject_sender_login_mismatch,
   reject_unauth_pipelining,
   permit

smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_invalid_hostname,
   reject_unauth_pipelining,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_rbl_client dnsbl.sorbs.net,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client dnsbl-1.uceprotect.net,
   permit

/etc/postfix/access

# dnsbl whitelist

# some client
74.125.82.55 OK
user@example.com OK
example.com OK

# After you are done editing the file, you must run:
# postmap /etc/postfix/access
# and restart postfix

Best Answer

You want to receive a mail that would be rejected based on one of your configured RBLs. You can do so by using a service one of your RBL provider recommends in their FAQ.

In case of crynwr, you can send them an email (using plaintext smtp, which may not be your mail servers default). They will then send you an answer, which should be blocked.

You then want to whitelist the IP of that test service they mention it on their site, but feel free to double check in your logs from the first test. Then run the test again. The received answer should then not be blocked.

That proves the functionality of your whitelist.

Mind that check_client_access and check_helo_access are entirely different things.

Because mail clients occasionally (the bad guys: almost always) lie about who they are, depending on whether you use smtpd_helo_required+reject_unknown_helo_hostname or not may greatly impact how much the effective behaviour matches your expectations of who should be able to ignore RBLs.

Related Topic