Hello list,
I have configured postfix to not accept connections from clients that fail
the reverse dns check.
But I want to be able to whitelist specific clients, even if the reverse
hostname check fails.
To achieve this I configured the following:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client-whitelist,
reject_unknown_reverse_client_hostname
/etc/postfix/client-whitelist contains comment lines (starting with #) and
entries, like this:
# mail.acipol.ac.mz
197.218.14.50 OK
The file is "compiled" with postmap:
# postmap /etc/postfix/client-whitelist
This is the result:
# ls -alF /etc/postfix/client-whitelist*
-rw-r--r--. 1 root root 1.6K Jul 19 12:07 /etc/postfix/client-whitelist
-rw-r--r--. 1 root root 12K Jul 19 12:07 /etc/postfix/client-whitelist.db
I reloaded the postfix configuration:
# service postfix reload
The log shows the reload and no further errors or warnings.
However, connections from the addresses in /etc/postfix/client-whitelist
are still rejected:
Jul 19 12:33:02 christoffel postfix/smtpd[12614]: NOQUEUE: reject: RCPT
from unknown[197.218.14.50]: 450 4.7.1 Client host rejected: cannot find
your reverse hostname, [197.218.14.50]; from=<> to=</<MASKED>/> proto=ESMTP
helo=<mail.acipol.ac.mz>
So my question is: What am I doing wrong?
Any help would be appreciated.
Some background information:
I am running Postfix 2.7.1 on Debian Squeeze
My full configuration is as follows:
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = /<MASKED>/
relay_domains =
myorigin = /etc/mailname
# /<MASKED>/ is the primary domain
mydestination = /<MASKED>/
# We are not interested in delivering mail to local system accounts
local_recipient_maps =
mynetworks_style = host
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = *
inet_interfaces = all
delay_warning_time = 4h
unknown_local_recipient_reject_code = 550
maximal_queue_lifetime = 7d
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
smtpd_helo_restrictions =
permit_mynetworks,
warn_if_reject reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
warn_if_reject reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/access,
permit
# Using "smtpd_client_restrictions" to implement basic filtering of badly
configured clients.
# Currently only "reject_unknown_client_hostname" is used to ensure that no
clients can send
# mail to us using a host / domain that does not pass the DNS hostname ->
IP mapping and the
# IP -> hostname reverse mapping test
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/client-whitelist,
reject_unknown_reverse_client_hostname
# WARNING: The following placement of check_recipient_access implies that
# /etc/postfix/access may ONLY contain REJECT results. Any other results
# may lead to an open relay.
# See http://tech.groups.yahoo.com/group/postfix-users/message/207679
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/sender_access,
check_policy_service inet:127.0.0.1:10023,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
# smtpd_log_access_permit_actions
# Setting this to "static:all" will enable logging of all explicit "permit"
actions using the above rules
# See
http://www.postfix.org/postconf.5.html#smtpd_log_access_permit_actions
smtpd_log_access_permit_actions = static:all
alias_maps =
hash:/etc/aliases,
hash:/var/lib/mailman/data/aliases
# alias_database specifies which databases are rebuilt when the
# "newaliases" command is invoked. Obviously, only maps that need
# to be rebuilt (hash, btree, dbm) are to be listed here.
# alias_maps specifies where Postfix looks for aliases.
alias_database = $alias_maps
# De UID en GID for the mailbox files
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# amavis anti-spam and virusscanner
content_filter = amavis:[127.0.0.1]:10024
# recipient_bcc_maps : We use this setting to generate an automatic
# bcc of all mail to the management address, to an external account
# Entries in this file are in the form "<internal address> <bcc address>"
# After modifying this file, give a "postmap /etc/postfix/recipient_bcc"
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
# DKIM implementation
# See
http://www.debiantutorials.com/setup-domainkeys-identified-mail-dkim-in-postfix/
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Regards,
Lucas
