Noel Jones wrote:
On 11/12/2009 1:48 PM, Alex wrote:
Hi folks,
I'm still working on the problem you have all been so kind in helping
me with, and have a problem relating to helo_checks. We require a
proper FQDN for the helo, but would like to make an exception for
several IP addresses.
I've added check_helo_access as the first line of my
smtpd_recipient_restrictions and it still doesn't work:
smtpd_recipient_restrictions =
check_helo_access hash:/etc/postfix/helo_checks,
helo_checks contains:
192.168.1.99 OK
Yet it is still rejected:
Nov 12 14:40:21 smtp01 postfix/smtpd[8282]: reject: RCPT from
unknown[192.168.1.99]: 504<helostring>: Helo command rejected: need
fully-qualified hostname; from=<ins...@mydomain.com>
to=<outs...@gmail.com>
What could I be doing wrong?
Thanks,
Alex
Stop top posting. Google for the term if you don't understand.
It looks as if you're trying to whitelist the client by IP, so you need
check_client_access to check an IP.
As a general rule, access tables should be *below*
reject_unauth_destination to prevent accidental open relay.
You have a lot of reading to do. Start here:
http://www.postfix.org/documentation.html
-- Noel Jones
If you don't want to whitelist the IP address completely but instead
just want to allow it to bypass your HELO checks, then check_helo_access
will work. However, you should first understand that the type of lookup
performed depends on the name of the restriction, NOT where the
restriction is placed.
For example, as was mentioned before, check_client_access looks up the
"client" (hostname, IP address,...). Likewise, check_sender_access looks
up the envelope sender, domain, etc. In this case, check_helo_access is
going to look up the HELO hostname of the client. So, your HELO access
map should match hostnames (or domain names, see the docs for
check_helo_access), not IP addresses. This is always true, regardless of
whether the check_foo_access statements appear in
smtpd_client_restrictions, smtpd_sender_restrictions, etc.
Now -- and there may be a cleaner way to do this -- when I want to
bypass a restriction for some set of clients or senders, I usually use a
pcre table that "falls through" to some default restrictions given that
nothing else matched first. For example, you could have,
check_helo_access pcre:/etc/postfix/helo_checks
and then within that file,
/^hostname-you-want-to-allow$/ DUNNO
# Matches everything else.
/./ reject_invalid_helo_hostname