Whitelist some clients from helo restrictions

I use reject_unknown_helo_hostname even though it rejects legitimate
mail, it also catches a reasonable amount of bad things.

I want to whitelist some clients of course. I thought it should be easy:

smtpd_helo_restrictions =
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/ok_clients

999.999.999.999 OK OK

postmap /etc/postfix/ok_clients

postmap -q 999.999.999.999 /etc/postfix/ok_clients

postmap -q /etc/postfix/ok_clients

Yet, from this client I still get this:
NOQUEUE: reject: RCPT from[999.999.999.999]: 450 4.7.1
<>: Helo command rejected: Host not found;

I test by hand and get rejected after RCPT TO (delayed restrictions as
postfix default):
MAIL FROM: <...>
RCPT TO: <...>

Tried restarting postfix to be sure. What have I missed?


Re: Whitelist some clients from helo restrictions

By Wietse Venema at 01/11/2018 - 07:58

You specified reject_XXX before ok_clients.


Re: Whitelist some clients from helo restrictions

By Matus UHLAR - f... at 01/11/2018 - 07:58

On 11.01.18 10:15, MRob wrote:
you must put "check_client_access hash:/etc/postfix/ok_clients" at the
begin, or at least before reject_unknown_helo_hostname

Re: Whitelist some clients from helo restrictions

By Dominic Raferd at 01/11/2018 - 07:57

On 11 January 2018 at 10:15, MRob < ... at insiberia dot net> wrote:
All restriction lists are applied: approving mail as OK in one list
only skips subsequent test in that restriction list, it does not
affect test in other lists. So add line

check_client_access hash:/etc/postfix/ok_clients

at the top of smtpd_helo_restrictions, this will then bypass the
subsequent test in this list.

You can probably remove it from smtpd_client_restrictions if you want
and in any case as the last entry in the list it does nothing as the
end of each list is equivalent to a PERMIT result.

Re: Whitelist some clients from helo restrictions

By mrobti at 01/11/2018 - 08:57

On 2018-01-11 11:57, Dominic Raferd wrote:
Oh, thank you -- misunderstood that each list is independent. I had
thought since all restrictions are delayed until after RCPT TO that
issuing an OK in one restriction list would affect the others that come
after it. Now I understand that's wrong. Thank you.