DevHeads.net

Whitelist some clients from helo restrictions

I use reject_unknown_helo_hostname even though it rejects legitimate
mail, it also catches a reasonable amount of bad things.

I want to whitelist some clients of course. I thought it should be easy:

/etc/postfix/main.cf
smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_client_restrictions =
reject_unauth_pipelining
check_client_access hash:/etc/postfix/ok_clients

/etc/postfix/ok_clients
999.999.999.999 OK
fqdn.exmaple.com OK

postmap /etc/postfix/ok_clients

postmap -q 999.999.999.999 /etc/postfix/ok_clients
OK

postmap -q fqdn.exmaple.com /etc/postfix/ok_clients
OK

Yet, from this client I still get this:
NOQUEUE: reject: RCPT from fqdn.example.com[999.999.999.999]: 450 4.7.1
<not.existing.host.name>: Helo command rejected: Host not found;

I test by hand and get rejected after RCPT TO (delayed restrictions as
postfix default):
HELO not.existing.host.name
MAIL FROM: <...>
RCPT TO: <...>
**REJECTED HERE**

Tried restarting postfix to be sure. What have I missed?

Comments

Re: Whitelist some clients from helo restrictions

By Wietse Venema at 01/11/2018 - 06:58

You specified reject_XXX before ok_clients.

Wietse

Re: Whitelist some clients from helo restrictions

By Matus UHLAR - f... at 01/11/2018 - 06:58

On 11.01.18 10:15, MRob wrote:
you must put "check_client_access hash:/etc/postfix/ok_clients" at the
begin, or at least before reject_unknown_helo_hostname

Re: Whitelist some clients from helo restrictions

By Dominic Raferd at 01/11/2018 - 06:57

On 11 January 2018 at 10:15, MRob < ... at insiberia dot net> wrote:
All restriction lists are applied: approving mail as OK in one list
only skips subsequent test in that restriction list, it does not
affect test in other lists. So add line

check_client_access hash:/etc/postfix/ok_clients

at the top of smtpd_helo_restrictions, this will then bypass the
subsequent test in this list.

You can probably remove it from smtpd_client_restrictions if you want
and in any case as the last entry in the list it does nothing as the
end of each list is equivalent to a PERMIT result.

Re: Whitelist some clients from helo restrictions

By mrobti at 01/11/2018 - 07:57

On 2018-01-11 11:57, Dominic Raferd wrote:
Oh, thank you -- misunderstood that each list is independent. I had
thought since all restrictions are delayed until after RCPT TO that
issuing an OK in one restriction list would affect the others that come
after it. Now I understand that's wrong. Thank you.