Hi, > If you don't want to whitelist the IP address completely but instead just > want to allow it to bypass your HELO checks, then check_helo_access will > work. However, you should first understand that the type of lookup performed > depends on the name of the restriction, NOT where the restriction is placed. > > For example, as was mentioned before, check_client_access looks up the > "client" (hostname, IP address,...). Likewise, check_sender_access looks up > the envelope sender, domain, etc. In this case, check_helo_access is going > to look up the HELO hostname of the client.
But helo is a component of the envelope, no? Wouldn't it then make sense to have it in sender_checks? > So, your HELO access map should > match hostnames (or domain names, see the docs for check_helo_access), not > IP addresses. I've tried that too, and the way I have it configured, it rejects both ways. > This is always true, regardless of whether the > check_foo_access statements appear in smtpd_client_restrictions, > smtpd_sender_restrictions, etc. No IP addresses in either of those files? There's a HOWTO by Jim Seymour, linked from postfix.org, detailing UCE controls that I followed, and it interchanges both: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt I even followed it to help with the helo_checks issue, which hasn't worked. > Now -- and there may be a cleaner way to do this -- when I want to bypass a > restriction for some set of clients or senders, I usually use a pcre table > that "falls through" to some default restrictions given that nothing else > matched first. For example, you could have, Okay, just tried that from a test network, and it doesn't work for me. In helo_checks.pcre I have: /^inside.testdomain.com$/ DUNNO /./ reject_invalid_helo_hostname In main.cf I have: check_helo_access pcre:/etc/postfix/helo_checks.pcre Perhaps the "reject_invalid_helo_hostname" doesn't work with postfix-v1? I've reloaded postfix and performed the same steps as I have previously, and it produces this in the logs: Nov 12 22:48:51 smtp01 postfix/smtpd[6860]: reject: RCPT from albert.testdomain .com[192.168.1.99]: 504 <alex>: Helo command rejected: need fully-qualified hos tname; from=<a...@testdomain.com> to=<a...@testdomain.com> To follow up with Noel's post, > You use check_client_access because your table contains a client IP. If your > table > contained the actual bad HELO name you could use check_helo_access, but > generally > it's better to whitelist by client address. Does that conflict with what Michael was saying about not allowing IP addresses in access files, or am I misunderstanding what Michael was saying? Assuming we do know that the helo would consistently be "alex123" for test purposes, I could somehow configure the helo_access to permit based on that string? Below is the postconf -n. Thanks very much for analyzing it for me. Actually, I didn't want to be presumptuous, but it probably would have been quicker in the end :-) alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases alternate_config_directories = /etc/postfix_f always_bcc = biff = no body_checks = regexp:/etc/postfix/body_checks command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 default_process_limit = 120 delay_warning_time = 0 disable_mime_input_processing = yes disable_vrfy_command = yes enabled = yes fallback_relay = header_checks = pcre:/etc/postfix/header_checks mail_owner = postfix mailbox_command = /usr/bin/procmail mailbox_size_limit = 256000000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = zen.spamhaus.org cbl.abuseat.org sbl.spamhaus.org pbl.spamhaus.org maximal_queue_lifetime = 5d message_size_limit = 13312000 mime_header_checks = minimal_backoff_time = 800s mydestination = $myhostname, localhost.$mydomain myhostname = smtp01.testdomain.com mynetworks = 127.0.0.0/8, 192.168.161.45/32, 192.168.174.45/32, 192.168.227.0/24 newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix queue_run_delay = 800s readme_directory = /etc/postfix/README_FILES relay_domains = $mydestination, testdomain.com relayhost = sample_directory = /etc/postfix/samples sender_canonical_maps = sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain reject_unauth_pipelining permit_mynetworks reject_invalid_hostname reject_non_fqdn_hostname reject_unauth_destination check_helo_access hash:/etc/postfix/helo_checks check_recipient_access pcre:/etc/postfix/recipient_checks check_sender_access hash:/etc/postfix/sender_checks check_client_access hash:/etc/postfix/client_checks reject_maps_rbl transport_maps = hash:/etc/postfix/transport unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 virtual_maps = hash:/etc/postfix/virtual Thanks again, Alex
