Stan Hoeppner wrote:
Hello Nicolas,
Try this:
Remove 'check_client_access hash:/etc/postfix/client_access' from
smtpd_recipient_restrictions. Add the following line in main.cf
somewhere before/above smtpd_recipient_restrictions:
smtpd_client_restrictions = hash:/etc/postfix/client_access
And make sure you 'postmap /etc/postfix/client_access' any time you
make changes to the file. And obviously, 'postfix reload' whenever
you make changes to main.cf.
This will not fix the OP's issue because client_restrictions occur
before recipient_restrictions.
This also does not deny any hosts with the line you posted above so it's
really worthless, due to the implied permit at the end of the
client_restrictions.
Since the check fails in recipient_restrictions, an exception must be
placed before the rbl_check there.
As Charles already pointed out, he was simply using the wrong check,
even though a HELO whitelist is somewhat dangerous to trust (easily forged).
Brian
Hope this helps.
Stan
Nicolas KOWALSKI wrote:
Hello,
I would like to whitelist a specific host, because it is currently
listed in the zen rbl, but I am unable to do so.
Here is a sample log of the rejected host connecting to my postfix:
Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
with cipher ADH-AES256-SHA (256/256 bits)
Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
unavailable; Client host [86.68.96.225] blocked using
zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
proto=ESMTP helo=<demisel.dyndns.org>
Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
225.96.68-86.rev.gaoland.net[86.68.96.225]
- I added the following line (full postconf -n below) to the
smtpd_recipient_restrictions, before the rbl check:
check_client_access hash:/etc/postfix/client_access
- /etc/postfix/client_access contains:
demisel.dyndns.org OK
- the full configuration: