Re: Using postscreen_whitelist_interfaces

[Wietse Venema]

Wietse Venema:
> Brad Smith:
> > postscreen_whitelist_interfaces = !IPv4, static:all
> 
> Where does the documentation promise that IPv4 is a "server IP address"?

That said, I must admit that a block of text was somehow left out of
the documentation. The updated text below steals liberally from the
"mynetworks" parameter description.

        Wietse

postscreen_whitelist_interfaces (default: static:all)
       A list  of  local  postscreen(8)  server  IP  addresses  where  a  non-
       whitelisted  remote  SMTP  client  can obtain postscreen(8)'s temporary
       whitelist status. This status is required before the client can talk to
       a  Postfix  SMTP  server  process.   By  default,  a  client can obtain
       postscreen(8)'s whitelist status on any local postscreen(8)  server  IP
       address.

       When postscreen(8) listens on both primary and backup MX addresses, the
       postscreen_whitelist_interfaces parameter can be configured to give the
       temporary  whitelist status only when a client connects to a primary MX
       address. Once a client is whitelisted it can talk  to  a  Postfix  SMTP
       server  on  any  address.  Thus, clients that connect only to backup MX
       addresses will never become whitelisted, and will never be  allowed  to
       talk to a Postfix SMTP server process.
New text starts here.
       Specify  a list of network addresses or network/netmask patterns, sepa-
       rated by commas and/or whitespace. The netmask specifies the number  of
       bits  in  the  network  part  of a host address. Continue long lines by
       starting the next line with whitespace.

       You  can  also  specify  "/file/name"  or  "type:table"  patterns.    A
       "/file/name" pattern is replaced by its contents; a "type:table" lookup
       table is matched when a table entry matches a lookup string (the lookup
       result is ignored).

       The  list  is  matched left to right, and the search stops on the first
       match. Specify "!pattern" to exclude an address or network  block  from
       the list.

       Note:  IP  version 6 address information must be specified inside [] in
       the postscreen_whitelist_interfaces value, and in files specified  with
       "/file/name".   IP  version  6 addresses contain the ":" character, and
       would otherwise be confused with a "type:table" pattern.
New text ends here.
       Example:

       /etc/postfix/main.cf:
           # Don't whitelist connections to the backup IP address.
           postscreen_whitelist_interfaces = !168.100.189.8, static:all

       This feature is available in Postfix 2.9 and later.