On Jun 11, 2012, at 09:36, tobi wrote: > I have a question concerning a custome error msg when using a helo_check > In helo_check I have the following line: > << > /^[0-9\.]+$/ 550 Not a valid helo name >>> > now I want to allow some trustworth hosts to be allowed to send such a > helo. So I put the sending system in mynetworks parameter and in helo_check > << > /^[0-9\.]+$/ permit_mynetworks, 550 Not a valid hostname >>> > but this leads to an error from postfix. So my question is: Is it > possible to "mix" built in policies with custom error messages? > For the moment I have > << > /^[0-9\.]+$/ permit_mynetworks, reject >>> > which works but I really would like to send customized error messages. > > Thanks a lot for any hint
Don't mix them, but specify individual restrictions; http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions Which could look something like this; smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_client_access cidr:/etc/postfix/.../client_whitelist check_helo_access pcre:/etc/postfix/.../helo_check.pcre Don't copy and paste the above, make sure you understand what it does, and why. It is a simplified version of what you'll ultimately want to have in place there. Only your own servers are in 'mynetworks', nothing else. After the relay check with 'reject_unauth_destination', you do a 'check_client_access' for IP addresses that are allowed to override the restrictions that follow, such as the HELO check. You list those IP address in the CIDR table, followed by an 'OK', or a restriction class. You should either specify your custom message with a 'REJECT', or with the full '550 5.7.1' to supply the extended status codes. When in doubt, use 'REJECT ...' and Postfix will supply the proper response for you. Also, since it seems you are trying to block the use of address literals; the use of these is perfectly valid according to spec, so it may be a good idea to adjust your message somewhat, and explain; /^\[.*\]$/ REJECT address literals not accepted from non-client hosts Any hosts you trust would never see that message, because they are permitted in the previous restriction step. But most of all, read and understand the documentation :-) Cya, Jona
