Thanks for the reply. It appears this is not supported with my version
of Postfix (2.1.5). When I try this syntax:
smtpd_helo_restrictions =
check_client_access pcre:/etc/postfix/heloaccept.pcre
I get this error:
fatal: unsupported dictionary type: pcre
On Oct 28, 2009, at 8:16 AM, Wietse Venema wrote:
Dennis Putnam:
It is beginning to appear this is my only alternative. However,
maintaining a whilelist will require some special approvals by our
security auditors. In any case, assuming I can get approval, is the
syntax for this the same as the other hash files (ie. IP address
followed by REJECT, OK, etc.)? Also, how do I set the default to be
reject? My best hope for approval is to only need to add exceptions.
I suggest using a CIDR table. These tables are read sequentially,
and the first matching pattern wins. The following makes exceptions
for two networks and applies reject_unknown_client for everyone else.
/etc/postfix/main.cf:
smtpd_???_restrictions =
...
check_client_access pcre:/etc/postfix/client_access.pcre
...
/etc/postfix/client_access.pcre:
1.2.3.0/24 dunno
5.6.7.0/24 dunno
0.0.0.0/0 reject_unknown_client
The syntax of the left-hand side is in the cidr_table(5) manpage
(man 5 cidr_table). The syntax of the right-hand side is in the
access(5) manpage (man 5 access).
The real problem is that the DNS gives out (some or all) bad PTR
records for this client IP address.
Wietse
Dennis Putnam
Sr. IT Systems Administrator
AIM Systems, Inc.
11675 Rainwater Dr., Suite 200
Alpharetta, GA 30009
Phone: 678-240-4112
Main Phone: 678-297-0700
FAX: 678-297-2666 or 770-576-1000
The information contained in this e-mail and any attachments is
strictly confidential. If you are not the intended recipient, any use,
dissemination, distribution, or duplication of any part of this e-mail
or any attachment is prohibited. If you are not the intended
recipient, please notify the sender by return e-mail and delete all
copies, including the attachments.
