Question about Postfix, SA and rbl checks

Gunnar Wrobel wrobel at
Mon Jun 23 13:53:01 CEST 2008

Hi Jens,

Jens Kleikamp <jens at> writes:

> Hi Guys,
> I got a false positive which is tagged by SA and the
> following rules hit the mail:
> Besides SA I also setup postfix to do some rbl checks as well.
> I set "reject_rbl_client," to the
> smtpd_recipient_restrictions directive.
> Now I try to understand why the mail passed the mta checks, but was hit
> I tried to analyse the source code of the email which is also availeable
> at
> I identify 3 third-party systems in the received headers:
> Sender (DSL Conncection) --> ISP Mailsever (clean) --> mozdev
> mailinglist server (also clean)
> The sender delivered the mail over an authenticated smtp connection to
> his isp mailserver which then sends the mail to the mozdev
> mailinglist-server which then sends the mail to my mailserver.
> My guess is that postfix did a rbl check of the IP from the mozdev
> system which is clean, so mail passed. ( I think this is okay )
> But then SA did not use the mozdev IP but the original sender
> dynamic-dsl IP address for the rbl check. I think that is not
> okay since the dynamic IP of the sender doesn?t have any important
> meaning because the sender used an authenticated smtp session, So it
> should not be used by SA to do rbl checks.

I think Thomas answered this on IRC but to make this more persistend I
just post his response here, too.

08:33 <ThomasAH> Jense: reject_rbl_client only looks at the IP connecting to
      your server, SA looks at more Received: headers



> Thank you in advance
> best regards
> Jens
