Aaargh.... too much. Remember this for future use:
postconf -n
Also, logs are a BIG help for this sort of troubleshooting.
> I want to whitelist some IPs who are getting rejected with the bad
> helo command.
> I created a whitelist, but it doesn't seem to work.
> maybe I'm doing it wrong. Here's my main.cf file.
>
> Thanks.
> myhostname = mailgate.mydomain.com
> mydomain = mydomain.com
Are you really so worried about sending people your domain name that you
change it?
> mynetworks = 127.0.0.0/8, 10.25.0.0/16, 10.25.1.0/24,
> 10.25.0.0/16, 10.50.0.0/16, 10.75.0.0/16, 10.100.0.0/16,
> 10.125.0.0/16, 10.150.0.0/16,
Or is this really private net only?
And below is the only real part of your config we needed to see.
> smtpd_recipient_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain
hash:/etc/postfix/to_recipients_bw.map,
> permit_mynetworks,
> reject_unauth_destination,
> check_client_access hash:/etc/postfix/mta_clients_bw.map,
> check_sender_access hash:/etc/postfix/from_senders_bw.map,
> check_sender_access regexp:/etc/postfix/from_senders_bw.regexp,
> check_client_access regexp:/etc/postfix/mta_clients_dul.regexp,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unverified_recipient,
> check_helo_access hash:/etc/postfix/helo_hostnames.map,
Is this what is rejecting?
> check_sender_access hash:/etc/postfix/from_senders_clueless.map,
> check_sender_access hash:/etc/postfix/from_senders_bogus.map,
> check_sender_access hash:/etc/postfix/from_senders_mybogus.map,
> check_sender_access hash:/etc/postfix/from_senders_spamdemic.map,
> reject_rbl_client http.dnsbl.sorbs.net,
> reject_rbl_client socks.dnsbl.sorbs.net,
... rbls removed for brevity.
> check_client_access regexp:/etc/postfix/mta_clients_subscriber.regexp,
> warn_if_reject check_helo_access
regexp:/etc/postfix/helo_world.regexp,
> permit
> disable_vrfy_command = yes
In my opinion turning off vrfy is useless. It is a great way to catch
some twits by punishing them for excessive vrfy use, and as postfix
sav/rav shows, address confirmation has nothing to do with vrfy.
> smtpd_helo_required = yes
Are they rejected because they did not send a HELO?
I am just asking because without any logs there is nothing for us to check
against.
> smtpd_banner = $myhostname - ESMTP - $mail_name - Attn: Authorized
> Personel Only
Ummmm.... yah... interesting HELO.
And lastly....
> smtpd_helo_restrictions =
> permit_mynetworks,
> check_helo_access hash:/etc/postfix/helo_whitelist.map,
> check_helo_access regexp:/etc/postfix/helo_hostnames.regexp,
> reject_invalid_hostname,
> reject_non_fqdn_hostname
I reformatted that for readability.
Ok.
If the smtpd_recipient_restrictions with that check_helo_access
hash:/etc/postfix/helo_hostnames.map is what is rejecting, it will not
help at all to have a whitelist here.
If this later white/black set is where the fault is, then you need to look
at the hash map and the regular expression.
Now here is a point of interest. Does the hash map match what you want to
whitelist? Here is how you find out:
>From man postmap
SYNOPSIS
postmap [-Nfinoprvw] [-c config_dir] [-d key] [-q key]
[file_type:]file_name ...
...
-q key Search the specified maps for key and write the first
value found to the standard output stream. The exit status
is zero when the requested information was found.
If a key value of - is specified, the program reads key
values from the standard input stream and writes one line of
key value output for each key that was found. The exit
status is zero when at least one of the requested keys was
found.
...
So test your map files. If they work the way you think, then perhaps you
need to add the whitelist to the smtpd_recipient_restrictions.
On a side note, with a regular expression check, processing is done
ordered top to bottom of the regular expression file.
That means that if you have a complex check with false positives, you can
put your whitelist at the top of the regular expression with a DUNNO
result.
DUNNO will drop out of the regular expression, but then still process the
rest of the smtpd_*_restrictions.
--Eric
