Re: Whitelist a host using check_client_access before the rbl check?

[Brian Evans - Postfix List]

Stan Hoeppner wrote:
Hello Nicolas,
Try this:

Remove 'check_client_access hash:/etc/postfix/client_access' from 
smtpd_recipient_restrictions.  Add the following line in main.cf 
somewhere before/above smtpd_recipient_restrictions:

smtpd_client_restrictions = hash:/etc/postfix/client_access

And make sure you 'postmap /etc/postfix/client_access' any time you 
make changes to the file.  And obviously, 'postfix reload' whenever 
you make changes to main.cf.

This will not fix the OP's issue because client_restrictions occur 
before recipient_restrictions.
This also does not deny any hosts with the line you posted above so it's 
really worthless, due to the implied permit at the end of the 
client_restrictions.

Since the check fails in recipient_restrictions, an exception must be 
placed before the rbl_check there.

As Charles already pointed out, he was simply using the wrong check,  
even though a HELO whitelist is somewhat dangerous to trust (easily forged).

Brian

Hope this helps.

Stan




Nicolas KOWALSKI wrote:
Hello,

I would like to whitelist a specific host, because it is currently 
listed in the zen rbl, but I am unable to do so.

Here is a sample log of the rejected host connecting to my postfix:

Aug  4 14:17:17 petole postfix/smtpd[23545]: connect from 
225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug  4 14:17:17 petole postfix/smtpd[23545]: setting up TLS 
connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug  4 14:17:17 petole postfix/smtpd[23545]: TLS connection 
established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1 
with cipher ADH-AES256-SHA (256/256 bits)
Aug  4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT 
from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service 
unavailable; Client host [86.68.96.225] blocked using 
zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225; 
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> 
proto=ESMTP helo=<demisel.dyndns.org>
Aug  4 14:17:18 petole postfix/smtpd[23545]: disconnect from 
225.96.68-86.rev.gaoland.net[86.68.96.225]


- I added the following line (full postconf -n below) to the 
smtpd_recipient_restrictions, before the rbl check:

check_client_access hash:/etc/postfix/client_access


- /etc/postfix/client_access contains:
demisel.dyndns.org OK


- the full configuration: