Prev: Account Migration with postfix
Next: How to reject bad hosts
From: Michael.Larsen on 9 Aug 2010 13:47
I have a very simple postfix relay set up with client.access, sender.access and recipient.access rules. I need to set it up such that it will relay *all addresses* from a specific host, but keep the default rejection for all other hosts unless the address is specified in sender.access or recipient.access. In other words, for one specific host, I want to disable rejection for all email addresses. I've read a ton of documentation, but don't see a way to accomplish this. My original thought was that it has to be a common configuration, but I'm not able to find specific examples of configuring it. Any help would be appreciated.


From: Stan Hoeppner on 9 Aug 2010 15:14
Michael.Larsen(a)wellsfargo.com put forth on 8/9/2010 12:47 PM:
> I have a very simple postfix relay set up with client.access, sender.access and recipient.access rules. I need to set it up such that it will relay *all addresses* from a specific host, but keep the default rejection for all other hosts unless the address is specified in sender.access or recipient.access. In other words, for one specific host, I want to disable rejection for all email addresses. I've read a ton of documentation, but don't see a way to accomplish this. My original thought was that it has to be a common configuration, but I'm not able to find specific examples of configuring it. Any help would be appreciated.

You simply need a global whitelist. Here's how I do it:

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/whitelist
check_sender_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/whitelist
check_client_access hash:/etc/postfix/blacklist
check_client_access proxy:regexp:/etc/postfix/fqrdns.regexp
check_client_access pcre:/etc/postfix/ptr-tld.pcre
check_client_access proxy:${cidr}/countries
check_client_access proxy:${cidr}/spammer
check_client_access proxy:${cidr}/misc-spam-srcs
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client zen.spamhaus.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service inet:127.0.0.1:60000

Note the three whitelist entries at the top of the restrictions. This
guarantees that a whitelisted host name, IP address, sender domain, sender
address, or recipient address is allowed. Putting these checks at the top of
your restriction list is the key.

If you're still using the 4 separate restriction sections in main.cf, now is a
good time to go with the consolidated "everything under recipient
restrictions" style list. This makes it easier to comprehend the flow of what
you're trying to do with your restrictions. It also allows you to white list
things, which is very difficult to do with the 4 sections style due to
ordering and "first match wins". With the above style, the first match truly
wins. With the 4 section style, the first match only wins for a section, but
when the next section is processed, if a match is found, the previous match is
overridden. Thus, you could whitelist something in say
smtpd_client_restrictions, only to have the connection rejected by an entry is
smtpd_helo_restrictions.

Following the style/format above should yield the results you are looking for.

--
Stan

 | 
Pages: 1
Prev: Account Migration with postfix
Next: How to reject bad hosts