on 02/03/2011 04:13 PM Brian Evans - Postfix List wrote the following: > On 2/3/2011 3:34 AM, Aggelos wrote: >> on 02/03/2011 10:05 AM Stan Hoeppner wrote the following: >>> Aggelos put forth on 2/2/2011 10:49 PM: >>>> on 02/03/2011 05:24 AM Aggelos wrote the following: >>>> >>>>> With that setup, if I wanted to accept mail from a specific Internet IP, >>>>> which would otherwise be filtered out, how would I do it? >>>>> >>>> I meant clients that are rejected like so: >>>> Feb 3 06:46:59 viper postfix/smtpd[3924]: NOQUEUE: reject: RCPT from >>>> unknown[62.1.42.20]: 450 4.7.1 Client host rejected: cannot find your >>>> hostname, [62.1.42.20]; from=<www-d...@insomnia.gr> >>>> to=<...> proto=ESMTP helo=<mail.insomnia.gr> >>> One possible method, using a cidr table: >>> >>> smtpd_recipient_restrictions = >>> check_client_access cidr:/etc/postfix/whitelist.cidr >>>>>>> reject_invalid_hostname, >>>>>>> reject_non_fqdn_hostname, >>>>>>> reject_non_fqdn_sender, >>>>>>> reject_non_fqdn_recipient, >>>>>>> reject_unknown_sender_domain, >>>>>>> reject_unknown_recipient_domain, >>>>>>> reject_unknown_client, >>>>>>> reject_unknown_hostname, >>>>>>> permit_mynetworks, >>>>>>> reject_unauth_destination, >>>>>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, >>>>>>> check_helo_access hash:/etc/postfix/helo_checks, >>>>>>> check_sender_access hash:/etc/postfix/sender_checks, >>>>>>> check_client_access hash:/etc/postfix/client_checks, >>>>>>> check_client_access pcre:/etc/postfix/client_checks.pcre, >>>>>>> reject_rbl_client zen.spamhaus.org, >>>>>>> permit >>> /etc/postfix/whitelist.cidr >>> 62.1.42.20 permit_auth_destination >>> >>> >> Thanks. >> >> 1) Where should this be placed? >> Should it be first in smtpd_recipient_restrictions ? >> I tried it and it worked when placed just after >> reject_unknown_recipient_domain (before reject_unknown_client). >> >> 2) Also tried >> 62.1.42.20 OK >> in /etc/postfix/client_checks >> and moving check_client_access hash:/etc/postfix/client_checks as above >> (before reject_unknown_client) which also worked. >> >> Which one of the two is more safe? > > "OK" makes you an open relay for mail from that IP. > It is better to use permit_auth_destination since it comes before > reject_unauth_destination unless you trust that source. >
Thanks a lot! I don't trust any external source. So I had better use the permit_auth_destination as suggested by Stan in the first place.
