Le 14/11/2010 11:58, Jack a écrit :
Hello All,
I want to confirm that what I want to try wont break anything. I want to
use a CIDR list and reject messages.
That I can tell I need to do this:
smtpd_client_restrictions =
check_client_access cidr:/usr/local/etc/postfix/maps/ip.cidr,
permit
no need for "permit". This is the default action.
But I don't want to conflict with anything else I am doing.
I was going to insert this where I typed in " XXXXXXXXXXXX I want to add
code HERE XXXXXXXXXXXXXXXXXX" below.
Do I need to do more to allow more things within the
smtpd_client_restrictions = or will it work to basically say reject those
IP's then allow everything else?
Also to test this do I put in the CIDR file:
123.234.32.8 WARN CIDR Rejection
Instead of 123.234.32.8 REJECT CIDR Rejction
That works, but you may prefer:
#let's get elegant with variables...
cidr=cidr:/usr/local/etc/postfix/maps/cidr
smtpd_client_restrictions =
warn_if_reject
check_client_access $cidr/access_client
== /usr/local/etc/postfix/maps/cidr/access_client:
192.0.2.3 REJECT blah blah
warn_if_reject will convert the reject into a warning.
Note: warn_if_reject applies to its next check, not to other checks.
note that you have no whitelisting here. I prefer using
smtpd_recipient_restrictions (to avoid duplicate whitelisiting):
smtpd_recipient_restrcitions =
#reject_non_fqdn_sender
#reject_non_fqdn_recipient
#
#permit_sasl_authenticated
permit_mynetworks
#
reject_unauth_destination
#
reject_unlisted_recipient
reject_unlisted_sender
#
...
check_client_access $cidr/access_client
reject_rbl_client zen.spamhaus.org
...
== /usr/local/etc/postfix/maps/cidr/access_client:
#whitelist
192.168.100.0/24 OK
#blacklist
192.0.2.1 REJECT blah blah
# warn
192.0.2.2 WARN blah blah
# return a restriction class
192.0.2.3 restriction_class_foo
