On 2018-01-11 11:57, Dominic Raferd wrote:
On 11 January 2018 at 10:15, MRob <mro...@insiberia.net> wrote:
I use reject_unknown_helo_hostname even though it rejects legitimate
mail,
it also catches a reasonable amount of bad things.
I want to whitelist some clients of course. I thought it should be
easy:
/etc/postfix/main.cf
smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_client_restrictions =
reject_unauth_pipelining
check_client_access hash:/etc/postfix/ok_clients
/etc/postfix/ok_clients
999.999.999.999 OK
fqdn.exmaple.com OK
postmap /etc/postfix/ok_clients
postmap -q 999.999.999.999 /etc/postfix/ok_clients
OK
postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
OK
Yet, from this client I still get this:
NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450
4.7.1
<not.existing.host.name>: Helo command rejected: Host not found;
I test by hand and get rejected after RCPT TO (delayed restrictions as
postfix default):
HELO not.existing.host.name
MAIL FROM: <...>
RCPT TO: <...>
**REJECTED HERE**
Tried restarting postfix to be sure. What have I missed?
All restriction lists are applied: approving mail as OK in one list
only skips subsequent test in that restriction list, it does not
affect test in other lists. So add line
check_client_access hash:/etc/postfix/ok_clients
at the top of smtpd_helo_restrictions, this will then bypass the
subsequent test in this list.
You can probably remove it from smtpd_client_restrictions if you want
and in any case as the last entry in the list it does nothing as the
end of each list is equivalent to a PERMIT result.
Oh, thank you -- misunderstood that each list is independent. I had
thought since all restrictions are delayed until after RCPT TO that
issuing an OK in one restriction list would affect the others that come
after it. Now I understand that's wrong. Thank you.