On 11 January 2018 at 10:15, MRob <mro...@insiberia.net> wrote: > I use reject_unknown_helo_hostname even though it rejects legitimate mail, > it also catches a reasonable amount of bad things. > > I want to whitelist some clients of course. I thought it should be easy: > > /etc/postfix/main.cf > smtpd_helo_restrictions = > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > reject_unknown_helo_hostname > smtpd_client_restrictions = > reject_unauth_pipelining > check_client_access hash:/etc/postfix/ok_clients > > /etc/postfix/ok_clients > 999.999.999.999 OK > fqdn.exmaple.com OK > > postmap /etc/postfix/ok_clients > > postmap -q 999.999.999.999 /etc/postfix/ok_clients > OK > > postmap -q fqdn.exmaple.com /etc/postfix/ok_clients > OK > > Yet, from this client I still get this: > NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450 4.7.1 > <not.existing.host.name>: Helo command rejected: Host not found; > > I test by hand and get rejected after RCPT TO (delayed restrictions as > postfix default): > HELO not.existing.host.name > MAIL FROM: <...> > RCPT TO: <...> > **REJECTED HERE** > > Tried restarting postfix to be sure. What have I missed?
All restriction lists are applied: approving mail as OK in one list only skips subsequent test in that restriction list, it does not affect test in other lists. So add line check_client_access hash:/etc/postfix/ok_clients at the top of smtpd_helo_restrictions, this will then bypass the subsequent test in this list. You can probably remove it from smtpd_client_restrictions if you want and in any case as the last entry in the list it does nothing as the end of each list is equivalent to a PERMIT result.