/dev/rob0:
> On Wed March 18 2009 03:06:40 Pascal Volk wrote:
> > > can i whitelist one domain from checking spamhaus ?
> > > thanks
> >
> > smtpd_recipient_restrictions =
> > ...
> > reject_unauth_destination
> > ...
> > check_client_access hash:/etc/postfix/whitelist_clients
> > check_sender_access hash:/etc/postfix/whitelist_senders
> > reject_rbl_client zen.spamhaus.org
> > ...
> >
> > /etc/postfix/whitelist_clients:
> > mailout.trusteddoma.in OK
> > # or ip address of trusted hosts
> >
> > /etc/postfix/whitelist_senders:
> > u...@trusteddoma.in OK
>
> Some comments I would add:
>
> 1. I consider it best practice to use "permit_auth_destination" rather
> than "OK" for whitelisting. That's an extra safety check in case you
> accidentally put smtpd_recipient_restrictions in the wrong order.
That is a good point. I wonder how much would break with
/etc/postfix/main.cf
restriction_classes = ok [... other names ...]
ok = permit_auth_destination
This would change the meaning of OK such that it works like
permit_auth_destination in access(5) maps. It's a gross hack, but
then, restriction_classes was also a gross hack.
Wietse
> 2. check_sender_access is never really safe for whitelisting. Consider
> the common scenario of a virus on a Windows machine, sending mail
> purporting to be "from" the person who set up Outlook Express (or
> whatever they call it now) on that machine. If that spam goes
> direct-to-MX, it would likely be blocked by Zen.
> 3. If mailout.trusteddoma.in is listed in Zen, they have issues that
> really do need to be addressed. Are you sure you want them
> whitelisted? Whitelisting is a slippery slope, seldom the right
> answer to the real problem.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
>
>
