Dennis Putnam:
> It is beginning to appear this is my only alternative. However,
> maintaining a whilelist will require some special approvals by our
> security auditors. In any case, assuming I can get approval, is the
> syntax for this the same as the other hash files (ie. IP address
> followed by REJECT, OK, etc.)? Also, how do I set the default to be
> reject? My best hope for approval is to only need to add exceptions.
I suggest using a CIDR table. These tables are read sequentially,
and the first matching pattern wins. The following makes exceptions
for two networks and applies reject_unknown_client for everyone else.
/etc/postfix/main.cf:
smtpd_???_restrictions =
...
check_client_access pcre:/etc/postfix/client_access.pcre
...
/etc/postfix/client_access.pcre:
1.2.3.0/24 dunno
5.6.7.0/24 dunno
0.0.0.0/0 reject_unknown_client
The syntax of the left-hand side is in the cidr_table(5) manpage
(man 5 cidr_table). The syntax of the right-hand side is in the
access(5) manpage (man 5 access).
The real problem is that the DNS gives out (some or all) bad PTR
records for this client IP address.
Wietse
