Hi, >> It's taken me a few days to process what you've written, but I think >> I'm now on the right track. Just to be sure I understand, I'd like to >> list my smtpd_*_restrictions and ask if someone could review them. >> >> I have a list of domain names and IPs that I need to ensure are not >> rejected. Given the restrictions below, if I add the IPs to a >> check_client_access map in smtpd_client_restrictions, and the >> hosts/domains to a check_sender_access map in >> smtpd_sender_restrictions, can I expect them to bypass any further >> checks? > > No. > > You cannot bypass restrictions in smtpd_recipient_restrictions by permitting > a client hostname or IP in a smtpd_client_restrictions rule or by permitting > a sender address or domain in smtpd_sender_restrictions. > > You cannot bypass restrictions in smtpd_sender_restrictions by permitting a > client hostname or IP in a smtpd_client_restrictions > > The 7 Postfix restriction lists that apply to normal message transport are > run in this order: > > At RCPT: (unless smtpd_delay_reject is set to "no") > smtpd_client_restrictions > smtpd_helo_restrictions > smtpd_sender_restrictions > smtpd_relay_restrictions (Postfix 2.10 and later) > smtpd_recipient_restrictions > > At DATA: > smtpd_data_restrictions > > At End-of-DATA: > smtpd_end_of_data_restrictions > > REJECT and DEFER results from any restriction in a list cause Postfix to > skip all later restrictions in that restriction list AND all later > restriction lists. > > PERMIT or OK results only cause Postfix to skip restrictions that occur > later in the same restriction list. > >> smtpd_recipient_restrictions = >> reject_non_fqdn_recipient, >> reject_non_fqdn_sender, >> reject_unlisted_recipient, >> reject_unknown_recipient_domain, >> permit_mynetworks, >> reject_unauth_destination, >> reject_unknown_sender_domain, >> reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_helo mykey.dbl.dq.spamhaus.net >> check_helo_access pcre:/etc/postfix/helo_checks.pcre, >> check_helo_access hash:/etc/postfix/helo_checks, >> reject_non_fqdn_helo_hostname, >> reject_invalid_helo_hostname, >> check_policy_service inet:127.0.0.1:2501, >> check_recipient_access pcre:/etc/postfix/relay_recips_access, >> permit > > > No "OK" results from your other restriction lists affect how the reject_* > rules in this list operate. Specifically, the only exemption from > "reject_unknown_sender_domain" at RCPT time will be "permit_mynetworks"
Okay, that's more clear. I think I understood that, but not sure why I didn't apply it also to smtpd_recipient_restrictions. Since there aren't really any restrictions in smtpd_sender_restrictions other than a bad NS, I now believe it's not necessary to have any check_sender_access maps there to OK a sender, correct? As I mentioned, I'm trying to make sure that the IPs of a handful of mail servers, and a handful of domains which they host, are not rejected. I don't believe any of them will have a problem with DNS, but it's possible some could be blacklisted on an RBL. Now it sounds like I should add a check_client_access and check_sender_access map to my smtpd_recipient_restrictions after permit_mynetworks: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_sender_domain, permit_mynetworks, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, reject_rhsbl_helo mykey.dbl.dq.spamhaus.net check_helo_access pcre:/etc/postfix/helo_checks.pcre, check_helo_access hash:/etc/postfix/helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:/etc/postfix/relay_recips_access I've also reordered reject_unauth_destination and reject_unknown_sender_domain to above permit_mynetworks, as no one should be routing mail to unauthorized destinations or domains. >> Is it >> possible to append text after the "OK" the way it's okay to do it with >> the 554? If not, is there another way to do this? I didn't see a way >> in the access(5) man page. > > No. How would want Postfix to use such text? > The text after a "554" action (or other non-OK action) in a Postfix access > map is used in the SMTP reply to the client which constitutes the message > rejection. That reply ultimately should be sent back to the original sender I should have been more clear. I was hoping to somehow log an entry each time one of those IPs is received, in a similar way as the INFO or PREPEND directive can be used so we can better track these IPs. Of course I could search for the IP in the logs, but I thought it would be easier to search for them. Thanks so much. Alex