241897Re: Whitelist a host using check_client_access before the rbl check?
- Aug 4, 2008Stan Hoeppner wrote:
> Hello Nicolas,This will not fix the OP's issue because client_restrictions occur
> Try this:
> Remove 'check_client_access hash:/etc/postfix/client_access' from
> smtpd_recipient_restrictions. Add the following line in main.cf
> somewhere before/above smtpd_recipient_restrictions:
> smtpd_client_restrictions = hash:/etc/postfix/client_access
> And make sure you 'postmap /etc/postfix/client_access' any time you
> make changes to the file. And obviously, 'postfix reload' whenever
> you make changes to main.cf.
This also does not deny any hosts with the line you posted above so it's
really worthless, due to the implied permit at the end of the
Since the check fails in recipient_restrictions, an exception must be
placed before the rbl_check there.
As Charles already pointed out, he was simply using the wrong check,
even though a HELO whitelist is somewhat dangerous to trust (easily forged).
> Hope this helps.
> Nicolas KOWALSKI wrote:
>> I would like to whitelist a specific host, because it is currently
>> listed in the zen rbl, but I am unable to do so.
>> Here is a sample log of the rejected host connecting to my postfix:
>> Aug 4 14:17:17 petole postfix/smtpd: connect from
>> Aug 4 14:17:17 petole postfix/smtpd: setting up TLS
>> connection from 225.96.68-86.rev.gaoland.net[188.8.131.52]
>> Aug 4 14:17:17 petole postfix/smtpd: TLS connection
>> established from 225.96.68-86.rev.gaoland.net[184.108.40.206]: TLSv1
>> with cipher ADH-AES256-SHA (256/256 bits)
>> Aug 4 14:17:18 petole postfix/smtpd: NOQUEUE: reject: RCPT
>> from 225.96.68-86.rev.gaoland.net[220.127.116.11]: 554 5.7.1 Service
>> unavailable; Client host [18.104.22.168] blocked using
>> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=22.214.171.124;
>> from=<nicolas.kowalski@...> to=<niko@...>
>> proto=ESMTP helo=<demisel.dyndns.org>
>> Aug 4 14:17:18 petole postfix/smtpd: disconnect from
>> - I added the following line (full postconf -n below) to the
>> smtpd_recipient_restrictions, before the rbl check:
>> check_client_access hash:/etc/postfix/client_access
>> - /etc/postfix/client_access contains:
>> demisel.dyndns.org OK
>> - the full configuration:
- << Previous post in topic Next post in topic >>