My address IS valid, Facebook!
If you happened to have seen my previous post, Blocking spammers with Postfix alone, you saw that I use SpamCop for one of my RBLs. It’s worked great for years. My whole setup has worked great for over a year now with very minimal changes. Imagine my confusion when Facebook told me to that my email address was detected as no longer valid.
What?!
So I dug in my mail server’s logs and found that SpamCop had listed some of the Facebook mail servers on their DNS Blacklist.
Example from today:
May 4 18:49:14 sh-srv2 postfix/smtpd[28197]: NOQUEUE: reject: RCPT from outmail006.snc1.tfbnw.net[69.63.178.165]: 554 5.7.1 Service unavailable; Client host [69.63.178.165] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?69.63.178.165; from=<notification+mu_miidm@facebookmail.com> to=<daniel@*don't spam me*> proto=ESMTP helo=<mx-out.facebook.com>
As you can see, Postfix did what it was supposed to do according to my configuration. The problem is, apparently, Facebook doesn’t check the actual server responses and assumes that if a message is undeliverable for any reason, the address is no longer valid. Over the past month, I’ve had 101 messages from Facebook mail servers blocked based on the listing from SpamCop. I can’t tell you how many times I’ve had to click the “reconfirm your current email” link to get the message to go away.
As most experienced Postfix admins know, you can always manipulate Postfix’s access control mechanisms just about any way you can imagine. If you’re an experienced Postfix admin, you can probably move along since you probably already know what I’m going to explain from here.
I don’t know why, but today was the final straw. Once again, SpamCop had listed one of the Facebook mail relays and a message had been rejected. While I had tolerated reconfirming my address before, today I decided that this could be fixed and I was going to share it with the world.
In looking at the server names for all of the blocked Facebook servers, they had a standard naming convention of outmail###.snc1.tfbnw.net. Obviously, tfbnw.net stands for The Facebook Network. My guess is that snc1 is an identifier for datacenter or something along those lines. I figured that it would be safe enough to whitelist all subdomains of tfbnw.net.
First, I created a new file I called /etc/postfix/rbl_whitelist, which contains the following lines:
# Facebook
/.*.tfbnw.net/ OK
In the first field, I have a regular expression, /.*.tfbnw.net, which should match anything sent from tfbnw.net domain and any subdomain. The second field specifies what action Postfix should take when it encounters that pattern. Easy enough. Since I’m using a regexp type table, there’s no need to use postmap.
Next, I had to tell Postfix that it needed to use this file to check for “client” access, or remote servers sending mail destined for my server. Since Postfix evaluates smtpd_client_restrictions in order they are defined, I simply needed to drop check_client_access hash:/etc/postfix/wl_servers in before my other restrictions. This made my smtpd_recipient_restrictions look like this:
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/rbl_whitelist,
reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
permit
This causes Postfix to catch any thing sent from a Facebook mail relay and accept it before any DNSBL checks are done. Problem solved.
Updated 20 May 2010: I realized that having the check_client_access in the smtpd_recipient_restrictions was not giving the desired results. The check_client_access was being ignored since it was really in the wrong spot. Once I realized that, I also figured out that the reject_rbl_client directives could be moved under smtpd_client_restrictions as well.
Updated 29 May 2010: I got prompted again to confirm my address. I checked if the inbound hostnames were actually matching on the hash table I was previously using, but it was not, so I moved it to a regexp table instead. I couldn’t figure out why the hash wasn’t working as was expected. Perhaps due to the multiple levels of subdomains off of tfbnw.net, but the regexp works fine.
[...] 20 May 2010 As I pointed out in my post on whitelisting Facebook, I updated my restrictions configuration, putting my RBL checks under smtpd_client_restrictions [...]