Hello list,
I'm running a Postfix (2.6.6) server used by my company's customers to
submit mail.
Source IPs are not known in advance, so normally we grant relay access
using SASL authentication.
Additionally, we need to prevent as much as possible submissions from
unauthorized clients using stolen credentials (ie. viruses or bots), so,
as a further measure, we check source IPs against Spamhaus RBL (I know
that this might not be an exhaustive solution - we have in fact other
controls down the line).
I'm using the following set of restrictions (/etc/postfix/domain.hash is
a list of recipent domains we don't want to send mail to):
smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
check_recipient_access hash:/etc/postfix/domain.hash,
permit_sasl_authenticated,
reject_unauth_destination
Everything works fine, except when one client's IP is blacklisted by
Spamhaus. In this case, we need to whitelist that IP - and that should
be obtainable with the following:
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
check_recipient_access hash:/etc/postfix/domain.hash,
check_client_access cidr:/etc/postfix/whitelist_client.cidr,
reject_rbl_client zen.spamhaus.org,
permit_sasl_authenticated,
reject_unauth_destination
/etc/postfix/whitelist_client.cidr
1.2.3.4/32 OK
Moving up sender/rcpt restrictions I can enforce those checks to
whitelisted clients too. But (and that's my question) how can I force
SASL authentication to whitelisted clients? I couldn't figure out a way
to make Postfix evaluate the permit_sasl_authenticated directive in
those cases.
Thanks a lot for your help!
Fabio
