Derek wrote:
Hi Folks
I have tried to setup a whitelist for some domains, the idea is to have
the whitelisted domains bypass RBL and spamassassin checks (ie. deliver
everything!).
/etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination,
check_recipient_access
hash:/etc/postfix/whitelist-recipient,//
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.njabl.org,
reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
/etc/postfix/whitelist-recipient
domain1.com OK
domain2.com OK
With the above implemented, I still get RBL checks performed on the
whitelist domains.
You need to show your "postconf -n" output, as requested. The
above config will not perform any RBL checks.
permit_mynetworks, permit_sasl_authenticated
allow authorized users.
permit_auth_destination
allow any domain this server is responsible for
the only mail left at this point is unauthorized relay
attempts - normally a very small fraction of mail.
These unauthorized attempts will be blocked by
reject_unauth_destination. Nothing below that will ever be
evaluated.
You can use a check_recipient_access map prior to RBL checks
to bypass the RBL restrictions, but you cannot use this method
to bypass a content_filter.
To bypass a content_filter completely, you need two separate
postfix instances, each with its own queue and config
directory. Then you can use transport_maps to route mail to
either the content filter or the second postfix instance.
It's often easier to use a content filter that supports
whitelisting internally.
Could this be accomplished by using
"check_recipient_access" in the "smtpd_sender_restrictions" stanza? I
have setup a "all_spam_to" for these domains in spamassassin but it
would be nice if I can bypass it all together for the domains in
question, although my main concern is bypassing RBLs
Also my thoughts are it might be redundant having "reject_rbl_client"
and "reject_rhsbl_sender" under "smtpd_recipient_restrictions" - can
anyone comment?
It's redundant to have any restriction listed more than once.
It's common to list all restrictions under
smtpd_recipient_restrictions so you can easily see the order
they are performed in, and so you only have to whitelist once.
# basic main.cf config
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
... local whitelists ...
... local blacklists ...
... local UCE checks (RBLs etc.) ...
Thanks for your time, appreciate it
Cheers
Derek
--
Noel Jones
