Re: exception to the rule reject_unknown_client_hostname

Sat, 15 Dec 2018 10:57:30 -0800 

On 15 Dec 2018, at 0:56, Francesc Peñalvez wrote:
exception to the rule reject_unknown_client_hostname since having it active there are some ips that if they have inverse blocks me emails, could you put some type of exception to certain ips that I really know so that I do not block their mails? 


The reject_unknown_client_hostname restriction directive resides in one 
of the "smtpd_*_restrictions" restriction lists, most likely 
smtpd_client_restrictions or smtpd_recipient_restrictions. It can be 
overridden by a PERMIT result from any restriction directive preceding 
it *in the same restriction list* which permits the mail.



This can get very complicated because each restriction list is run 
independently, in a fixed logical order for each normal message 
transaction: client, helo, sender, recipient, relay, data, end_of_data. 
A REJECT result at any point is immediate and unconditional: later 
restriction directives in the same list are not tested and later lists 
are not run. An OK result from any restriction directive terminates 
evaluation of the restriction list where it resides, but DOES NOT carry 
over to later restriction lists.


So, your current config may include something like:

smtpd_recipient_restrictions = permit_mynetworks,
  [...],
  reject_unknown_recipient_domain, reject_unauth_destination,
  reject_unknown_client_hostname,
  [...]
  permit

You can override reject_unknown_client_hostname by adding an access map:

smtpd_recipient_restrictions = permit_mynetworks,
  [...],
  reject_unknown_recipient_domain, reject_unauth_destination,
  check_client_access cidr:/etc/postfix/trusted_ips.cidr,
  reject_unknown_client_hostname,
  [...]
  permit

Where the file /etc/postfix/trusted_ips.cidr contains lines like:

  # A Class C network full of unnamed hosts
  192.0.2.0/24   OK
  # One host belonging to a correspondent w/o control over their rDNS
  10.1.2.3
  # Microsoft's naming is flaky in this block
  52.96.0.0/12


You could use another class of map but CIDR makes the most sense for 
this case because you're trying to exempt arbitrary client IPs from a 
client IP restriction and CIDR does that in the most flexible and 
obvious way.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole






















					Reply via email to