Loading ...
Sorry, an error occurred while loading the content.

241897Re: Whitelist a host using check_client_access before the rbl check?

Expand Messages
  • Brian Evans - Postfix List
    Aug 4, 2008
    • 0 Attachment
      Stan Hoeppner wrote:
      > Hello Nicolas,
      >
      > Try this:
      >
      > Remove 'check_client_access hash:/etc/postfix/client_access' from
      > smtpd_recipient_restrictions. Add the following line in main.cf
      > somewhere before/above smtpd_recipient_restrictions:
      >
      > smtpd_client_restrictions = hash:/etc/postfix/client_access
      >
      > And make sure you 'postmap /etc/postfix/client_access' any time you
      > make changes to the file. And obviously, 'postfix reload' whenever
      > you make changes to main.cf.

      This will not fix the OP's issue because client_restrictions occur
      before recipient_restrictions.
      This also does not deny any hosts with the line you posted above so it's
      really worthless, due to the implied permit at the end of the
      client_restrictions.

      Since the check fails in recipient_restrictions, an exception must be
      placed before the rbl_check there.

      As Charles already pointed out, he was simply using the wrong check,
      even though a HELO whitelist is somewhat dangerous to trust (easily forged).

      Brian
      >
      > Hope this helps.
      >
      > Stan
      >
      >
      >
      >
      > Nicolas KOWALSKI wrote:
      >> Hello,
      >>
      >> I would like to whitelist a specific host, because it is currently
      >> listed in the zen rbl, but I am unable to do so.
      >>
      >> Here is a sample log of the rejected host connecting to my postfix:
      >>
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
      >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
      >> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >> Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
      >> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
      >> with cipher ADH-AES256-SHA (256/256 bits)
      >> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
      >> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
      >> unavailable; Client host [86.68.96.225] blocked using
      >> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
      >> from=<nicolas.kowalski@...> to=<niko@...>
      >> proto=ESMTP helo=<demisel.dyndns.org>
      >> Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
      >> 225.96.68-86.rev.gaoland.net[86.68.96.225]
      >>
      >>
      >> - I added the following line (full postconf -n below) to the
      >> smtpd_recipient_restrictions, before the rbl check:
      >>
      >> check_client_access hash:/etc/postfix/client_access
      >>
      >>
      >> - /etc/postfix/client_access contains:
      >> demisel.dyndns.org OK
      >>
      >>
      >> - the full configuration:
      >>
      >>
    • Show all 12 messages in this topic