NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-08

Re: Whitelist a host using check_client_access before the rbl check?

From: Brian Evans - Postfix List (grknightscent-team.com)
Date: Mon Aug 04 2008 - 08:20:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stan Hoeppner wrote:
> Hello Nicolas,
>
> Try this:
>
> Remove 'check_client_access hash:/etc/postfix/client_access' from
> smtpd_recipient_restrictions. Add the following line in main.cf
> somewhere before/above smtpd_recipient_restrictions:
>
> smtpd_client_restrictions = hash:/etc/postfix/client_access
>
> And make sure you 'postmap /etc/postfix/client_access' any time you
> make changes to the file. And obviously, 'postfix reload' whenever
> you make changes to main.cf.

This will not fix the OP's issue because client_restrictions occur
before recipient_restrictions.
This also does not deny any hosts with the line you posted above so it's
really worthless, due to the implied permit at the end of the
client_restrictions.

Since the check fails in recipient_restrictions, an exception must be
placed before the rbl_check there.

As Charles already pointed out, he was simply using the wrong check,
even though a HELO whitelist is somewhat dangerous to trust (easily forged).

Brian
>
> Hope this helps.
>
> Stan
>
>
>
>
> Nicolas KOWALSKI wrote:
>> Hello,
>>
>> I would like to whitelist a specific host, because it is currently
>> listed in the zen rbl, but I am unable to do so.
>>
>> Here is a sample log of the rejected host connecting to my postfix:
>>
>> Aug 4 14:17:17 petole postfix/smtpd[23545]: connect from
>> 225.96.68-86.rev.gaoland.net[86.68.96.225]
>> Aug 4 14:17:17 petole postfix/smtpd[23545]: setting up TLS
>> connection from 225.96.68-86.rev.gaoland.net[86.68.96.225]
>> Aug 4 14:17:17 petole postfix/smtpd[23545]: TLS connection
>> established from 225.96.68-86.rev.gaoland.net[86.68.96.225]: TLSv1
>> with cipher ADH-AES256-SHA (256/256 bits)
>> Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
>> from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
>> unavailable; Client host [86.68.96.225] blocked using
>> zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=86.68.96.225;
>> from=<nicolas.kowalskigmail.com> to=<nikopetole.dyndns.org>
>> proto=ESMTP helo=<demisel.dyndns.org>
>> Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
>> 225.96.68-86.rev.gaoland.net[86.68.96.225]
>>
>>
>> - I added the following line (full postconf -n below) to the
>> smtpd_recipient_restrictions, before the rbl check:
>>
>> check_client_access hash:/etc/postfix/client_access
>>
>>
>> - /etc/postfix/client_access contains:
>> demisel.dyndns.org OK
>>
>>
>> - the full configuration:
>>
>>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]