Re: whitelisting problem

Sat, 05 Dec 2009 07:04:42 -0800 

Stan Hoeppner wrote:

Michael Orlitzky put forth on 12/5/2009 1:38 AM:

Stan Hoeppner wrote:

I can't figure out why my whitelist entry for 204.238.179.0/24 is being


You rejected the HELO hostname, not the IP address. What is
reject_unknown_helo_hostname going to do when your DNS is broken?


You missed the point entirely because you went after the low hanging
fruit, calling out "you read the rejection wrong!".

Re-read my email and tell me why there was a rejection at all; why the
email wasn't accepted as it should have been.  If you'd actually read my
entire email the first time, you wouldn't have answered as you did.

You'll likely have to go for the fruit at the top of the tree to get the
right answer.  I've been on the top branch all day and can't figure it
out, thus my email to the list.

--
Stan



Let's start from the beginning. Here's your access map:


/etc/postfix/access
...
66.135.197                              OK
168.100.1                               OK
204.238.179                             OK
spam-l-boun...@spam-l.com               OK
owner-postfix-us...@cloud9.net          OK
majordomo-ow...@cloud9.net              OK
owner-postfix-us...@postfix.org         OK
...



Now, a client connects. Your restrictions begin to be evaluated. The 
first class to get evaluated is smtpd_client_restrictions:



smtpd_client_restrictions =
        check_recipient_access hash:/etc/postfix/access
        check_client_access hash:/etc/postfix/access
        ...
        ...
        reject_unknown_client_hostname
        reject_unauth_pipelining



Here, check_recipient_access does nothing, because the recipient (you) 
is not listed in the access map. The next restriction, 
check_client_access, matches on the client, 204.238.179.8. A result of 
OK is returned for smtpd_client_restrictions, and we move on to 
smtpd_helo_restrictions.



smtpd_helo_restrictions =
        check_recipient_access hash:/etc/postfix/access
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname
        reject_unknown_helo_hostname



The first restriction, check_recipient_access, looks up the RECIPIENT'S 
ADDRESS in your access map. Since the recipient's address is not listed, 
this check does nothing, and we move on the next one. The 
non_fqdn/invalid checks pass, but then when we get to 
reject_unknown_helo_hostname, the message is rejected, because you can't 
look up the host name.



I think what you mean to do here is check_client_access (as opposed to 
check_recipient_access). You could also use check_helo_access, but then 
you'd have to add that machine's HELO hostname to the access map.





















					Reply via email to