On 23/07/18 21:17, dur...@mgtsciences.com wrote:
> I have whitelisted the ip in postscreen_access.cidr. I can see the
> 'whitelisted' for postscreen in log.
> But it does not get past smtpd.
>
> I do not want to remove reject_invalid_helo_hostname as this really opens
> up more spam. So how
> do I white list the ip for smtpd?
>
> Jul 23 13:53:32 postfix/smtpd[16279]: Anonymous TLS connection established
> from unknown[65.100.117.244]: TLSv1.2 with cipher AECDH-AES256-SHA
> (256/256 bits)
> Jul 23 13:53:32 postfix/smtpd[16279]: NOQUEUE: reject: RCPT from
> unknown[65.100.117.244]: 450 4.7.1 Client host rejected: cannot find your
> reverse hostname, [65.100.117.244]; from=<useren...@slfcu.org>
> to=<dur...@mycompany.com> proto=ESMTP helo=<barracuda.slfcu.org>
> Jul 23 13:53:33 postfix/smtpd[16279]: disconnect from
> unknown[65.100.117.244] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1
> quit=1 commands=6/8
>
> Thank you,
>
> Durwin
>
> === main.cf ===
[snip]
> shlib_directory = /usr/lib64/postfix
> smtp_helo_name = mail.mycompany.com
> smtpd_authorized_xclient_hosts = 172.23.93.0/24
> smtpd_banner = mail.mycompany.com ESMTP $mail_name ($mail_version)
> smtpd_client_restrictions = reject_unknown_reverse_client_hostname
THIS is the line which is rejecting the email;
you could try
smtpd_client_restrictions = permit_mynetworks,
check_client_access cidr:/etc/postfix/postscreen_access.cidr
reject_unknown_reverse_client_hostname
anything white-listed by postscreen will bypass client restrictions also
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks check_helo_access
> hash:/etc/postfix/helo_access reject_invalid_helo_hostname permit
Two useful (and safe) additions to your smtpd_helo_restrictions are:
reject_invalid_helo_hostname, and
reject_non_fqdn_helo_hostname
these force the HELO argument to be RFC compliant
Hope this helps
Allen C
