On 2/3/2011 3:34 AM, Aggelos wrote: > on 02/03/2011 10:05 AM Stan Hoeppner wrote the following: >> Aggelos put forth on 2/2/2011 10:49 PM: >>> on 02/03/2011 05:24 AM Aggelos wrote the following: >>> >>>> With that setup, if I wanted to accept mail from a specific Internet IP, >>>> which would otherwise be filtered out, how would I do it? >>>> >>> I meant clients that are rejected like so: >>> Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from >>> unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your >>> hostname, [62.1.42.20]; from=<www-d...@insomnia.gr> >>> to=<a...@vergina.dyndns.org> proto=ESMTP helo=<mail.insomnia.gr> >> One possible method, using a cidr table: >> >> smtpd_recipient_restrictions = >> check_client_access cidr:/etc/postfix/whitelist.cidr >>>>>> reject_invalid_hostname, >>>>>> reject_non_fqdn_hostname, >>>>>> reject_non_fqdn_sender, >>>>>> reject_non_fqdn_recipient, >>>>>> reject_unknown_sender_domain, >>>>>> reject_unknown_recipient_domain, >>>>>> reject_unknown_client, >>>>>> reject_unknown_hostname, >>>>>> permit_mynetworks, >>>>>> reject_unauth_destination, >>>>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, >>>>>> check_helo_access hash:/etc/postfix/helo_checks, >>>>>> check_sender_access hash:/etc/postfix/sender_checks, >>>>>> check_client_access hash:/etc/postfix/client_checks, >>>>>> check_client_access pcre:/etc/postfix/client_checks.pcre, >>>>>> reject_rbl_client zen.spamhaus.org, >>>>>> permit >> /etc/postfix/whitelist.cidr >> 62.1.42.20 permit_auth_destination >> >> > Thanks. > > 1) Where should this be placed? > Should it be first in smtpd_recipient_restrictions ? > I tried it and it worked when placed just after > reject_unknown_recipient_domain (before reject_unknown_client). > > 2) Also tried > 62.1.42.20 OK > in /etc/postfix/client_checks > and moving check_client_access hash:/etc/postfix/client_checks as above > (before reject_unknown_client) which also worked. > > Which one of the two is more safe?
"OK" makes you an open relay for mail from that IP. It is better to use permit_auth_destination since it comes before reject_unauth_destination unless you trust that source.