clue needed on SMTP envelope whitelisting/bypass

Thu, 26 Apr 2012 08:39:24 -0700

Hi. There must be a glaringly obvious solution to my problem that I can't see for looking at it. Can anyone help?
A few "trusted" senders have trouble getting past my server's vicious anti-spam defences. Sometimes their mail is sent over IPv6 from a source address that has no reverse DNS entry. For others, their connections come from blacklisted IPv4 addresses: for instance one of hotmail's outbound SMTP engines. This results in false positives for these senders and their inbound mail getting rejected. Sigh. The senders can't do anything about the naughty addresses their mail might get sent from, so I need to tweak my postfix setup somehow to let their mail through yet keep the spammers out. 


My thought was to set up an access map to allow incoming mail from  
these approved sender addresses. ie If the sending address in the SMTP  
envelope was in some list of trusted senders, accept the incoming  
mail. [Yes, I know MAIL FROM can be trivially forged but can live with  
that. Security through obscurity for these trusted addresses should be  
good enough to keep the spammers away.] However, when a hit is made  
against this access map, the remaining smtpd_*_restrictions still get  
checked. That means the inbound mail gets rejected because the  
connection is from a dodgy IP address even though the sender's SMTP  
envelope is supposedly trusted.



What have I missed? Is there some way to bypass the reverse DNS and  
RBL checks for trusted SMTP envelopes or would that involve doing some  
sort of before queue filtering (with postcreen)?


Here are the relevant snippets of my configuration:

smtpd_client_restrictions = permit_mynetworks
        check_client_access hash:/etc/postfix/okclients
        reject_rbl_client zen.spamhaus.org
        reject_unknown_client_hostname
        permit

smtpd_recipient_restrictions = permit_mynetworks
        check_recipient_access hash:/etc/postfix/okclients
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_recipient_domain
        reject_unauth_destination
        reject_unauth_pipelining

And in okclients, there are entries like:

trus...@example.com     OK

If someone can apply clue, I'd be grateful.























					Reply via email to