Thiago Esteves wrote:
Hello List,I'm using here the main.cf parameter "reject_unknown_client", that you know, it just blocks any client machine that doesn't have the properly records in the DNS. Sometimes I have to add an exception, so I have a whitelist where I add the client IP address and the "OK" parameter. Sometime ago I moved all email accounts to a database in MySQL, so I moved the whitelist too. See the whitelist config below. vi main.cf .... smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, .... check_client_access mysql:/usr/local/etc/postfix/mysql_whitelist.cf, .... vi mysql_whitelist.cf user = xxx password = xxx hosts = localhost dbname = postfix query = SELECT action FROM whitelist WHERE host = '%s' It works well as in the past when the list was using "hash", but now with the whitelist in the database I can make a program as a webmail plugin for example that lets the user add his own exceptions directly to the list, but it would be better to create a list for each user because if a user adds a host that any other user doesn't want to receive email from I'll have a problem. In the database it's quite simple to add more one field that matches the owner(recipient) of the exception, but I need to throw it to the mysql_whitelist.cf, I need to get the row that has a host = '%s' and* the recipient = 'the current recipient address', the query in the mysql_whitelist.cf would be: query = SELECT action FROM whitelist WHERE host = '%s' and recipient = '%...' To do this I need to know the variable that represents the recipient address. I've searched in google, but no lucky. Can any one help me.
write a policy server (or use one that implements this). postfix checks use a single variable (client, helo, sender, recipient). you can't mix things.
anyway, if you find yourself whitelisting many clients, then you should abandon the check. reject_unknown_client is unsafe. even if the client has a correct rNDS setup, the check will delay mail if there is a dns lookup failure. while testing it, I noticed that it delayed mail from dspam and netbsd mailing lists.
if your goal is to fight spam, there are safer and more efficient checks. you should start with zen.spamhaus.org.
