Postfix Whitelist before recipient restrictions
If you do processing based on RCPT TO
address, you are going to flood this person with spam, because it will disable any further spam checks.
Your only option is to use check_sender_access
.
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/access_sender
reject_unauth_destination,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.mailspike.net,
check_policy_service unix:postgrey/socket
Like so:
[email protected] OK
domain.com OK
fromuser@ OK
dont forget to postmap access_sender
after you create it.
Related videos on Youtube
![dannymilsom](https://i.stack.imgur.com/zqYCR.png?s=256&g=1)
dannymilsom
Director of Technology & Systems Consultant. Experience in in Windows Server (NT|2000|2003|2008), Debian & Debian Relatives, RHEL/CentOS, Apache, lighttpd, nginx, PHP, MySQL, PostgreSQL, Asterisk, Kohana, Postfix, Qmail, MailScanner, VMWare server & ESX, iSCSI SAN hardware, OpenVPN, GlusterFS, LustreFS, BackupPC & a mirad of Cisco products. Certifications Include expired... CCNA (Cisco Certified Network Associate) Network+ (Comptia Network Plus) A+ (Comptia A Plus) Should probably take my dCAP, RHCE and MSCE...
Updated on September 17, 2022Comments
-
dannymilsom almost 2 years
Alright. Some background. We have an anti-spam cluster trucking about 2-3 million emails per day, blocking somewhere in the range of 99% of spam email from our end users.
The underlying SMTP server is Postfix 2.2.10. The "Frontline defense" before mail gets carted off to SpamAssassin/ClamAV/ ect ect, is attached below.
...basic config.... smtpd_recipient_restrictions = reject_unauth_destination, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.mailspike.net, check_policy_service unix:postgrey/socket ...more basic config....
As you can see, standard RBL services from various companies, as well as a Postgrey service.
The problem is, I have one client (out of thousands) who is very upset that we blocked an important email of theirs. It was sent through a russian freemailer who was currently blocked in two of our three RBL servers. I explained the situation to them, however they are insisting we do not block any of their emails.
So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all.
I've done a bit of research myself, http://www.howtoforge.com/how-to-whitelist-hosts-ip-addresses-in-postfix seemed to be a good guide at first, almost fixing my problem, But i want it to accept based on TO address, not originating server.
-
dannymilsom about 14 yearswont "check_sender_access" result in me having to white list every domain he receives email from? The purpose IS to flood the person which spam, at least for the temporary so he can see what kinda idiot he is.
-
solefald about 14 yearsNope. It will just check if this particular domain is in it. If not, it will just continue to other rules. I have only 6 entires in mine, for the same reason - just to allow a spam-loving client to get his daily viagra fix :)
-
d-_-b about 11 years@solefald, You say 'check_sender_access' but then use 'check_client_access'. Perhaps you want to clarify. You may also want to clarify why you put 'check_sender_access' as a 'smtpd_recipient_restrictions' and not a 'smtpd_sender_restrictions'