Dennis Putnam: > Thanks for the reply. It appears this is not supported with my version > of Postfix (2.1.5). When I try this syntax: > > smtpd_helo_restrictions = > check_client_access pcre:/etc/postfix/heloaccept.pcre
Sorry. "pcre" should be "cidr" everywhere in my reply. Some neurons got crossed. Wietse > I get this error: > > fatal: unsupported dictionary type: pcre > > On Oct 28, 2009, at 8:16 AM, Wietse Venema wrote: > > > Dennis Putnam: > >> It is beginning to appear this is my only alternative. However, > >> maintaining a whilelist will require some special approvals by our > >> security auditors. In any case, assuming I can get approval, is the > >> syntax for this the same as the other hash files (ie. IP address > >> followed by REJECT, OK, etc.)? Also, how do I set the default to be > >> reject? My best hope for approval is to only need to add exceptions. > > > > I suggest using a CIDR table. These tables are read sequentially, > > and the first matching pattern wins. The following makes exceptions > > for two networks and applies reject_unknown_client for everyone else. > > > > /etc/postfix/main.cf: > > smtpd_???_restrictions = > > ... > > check_client_access pcre:/etc/postfix/client_access.pcre > > ... > > > > /etc/postfix/client_access.pcre: > > 1.2.3.0/24 dunno > > 5.6.7.0/24 dunno > > 0.0.0.0/0 reject_unknown_client > > > > The syntax of the left-hand side is in the cidr_table(5) manpage > > (man 5 cidr_table). The syntax of the right-hand side is in the > > access(5) manpage (man 5 access). > > > > The real problem is that the DNS gives out (some or all) bad PTR > > records for this client IP address. > > > > Wietse > > > > > > Dennis Putnam > Sr. IT Systems Administrator > AIM Systems, Inc. > 11675 Rainwater Dr., Suite 200 > Alpharetta, GA 30009 > Phone: 678-240-4112 > Main Phone: 678-297-0700 > FAX: 678-297-2666 or 770-576-1000 > The information contained in this e-mail and any attachments is > strictly confidential. If you are not the intended recipient, any use, > dissemination, distribution, or duplication of any part of this e-mail > or any attachment is prohibited. If you are not the intended > recipient, please notify the sender by return e-mail and delete all > copies, including the attachments. > > > > >