Input Whitelisting T-Online, GMX etc. by dnswl.org

[Bitpalast]

Some well known Internet access providers use very few mail-out (sender) IPs for their SMTP servers. Normally, many of their SMTP servers are blacklisted, because of the millions of customers a few have been sending spam through them. When you are using a DNSBL like Spamcop in Plesk, mails from such providers will be blocked. As normally only a limited number of spam is actually coming from these providers, it can be a good idea to add the dnswl.org whitelist to the DNSBL service in your mail service.

This has been a Plesk feature request for many years listed here:

Implement DNS Whitelists

Plesk does not currently support DNS Whitelists like it does RBLs, such as the list at dnswl.org. There needs to be a way to add this from the Plesk UI. The Postfix main.cf config directive is permit_dnswl_client. Whenever a Plesk upgrade happens, the setting, if added is removed and needs to be...

plesk.uservoice.com

However, due to a very low vote count it has never been considered for implementation.

Anyway, while testing I found that it is easily possible to add list.dnswl.org to /etc/postfix/main.cf. The entry is maintained even through updates of the corresponding setting in Plesk GUI. When you add the entry to Posfix, the IPs of well known and normally reliable senders are excluded from blacklist tests, so that all the legitimate mail will pass. To add, simply modify /etc/postfix/main.cf

For example it could look similar to this after modification:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_dnswl_client list.dnswl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client xbl.someblacklist.org, reject_rbl_client someotherblacklist.org

Save the modification, then
# service postfix restart
and you are all set.

 

[Hangover2]

Any changes made to main.cf will be overridden on a regular basis. There is also a feature request since many years:

Allow customization of /etc/postfix/main.cf

 

[Bitpalast]

Any changes made to main.cf will be overridden on a regular basis. There is also a feature request since many years:

Allow customization of /etc/postfix/main.cf

No, they will not. For SMTP configuration Plesk only overwrites parts that are configurable in Plesk. All other parts of main.cf are retained. This includes RBLS that are directly written into main.cf.

 

[mcac]

I have made the following settings for 2 servers since some months:
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_dnswl_client list.dnswl.org, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client rbl.interserver.net, reject_rbl_client bl.0spam.org, reject_rbl_client bl.blocklist.de, reject_rbl_client multi.surbl.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client psbl.surriel.com, reject_rbl_client dnsrbl.swinog.ch, reject_rbl_client black. junkemailfilter.com, reject_rbl_client bl.suomispam.net, reject_rbl_client dnsbl.dronebl.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client all.s5h.net, reject_rbl_client bl.spamcop.net
So I've activated the whitelist and any blacklists. However, emails are still arriving that should actually be blocked. Just today, another email arrived with an IP address that appears in numerous blacklists listed above (not just one) and NOT in the whitelist of list.dnswl.org (check at Search dnswl.org data – dnswl.org). So, it should actually have been blocked. In the logs, I see that emails are still being blocked. So, the spam blocking is working, but unfortunately, it's not reliable. Without “permit_dnswl_client list.dnswl.org” too much is blocked, with “permit_dnswl_client list.dnswl.org” too little is blocked or is not blocked reliably.
Have anybody an idea to solve this problem?