On 2/8/2013 3:51 AM, Fabio Sangiovanni wrote: > Hello list, > > I'm running a Postfix (2.6.6) server used by my company's customers > to submit mail. > Source IPs are not known in advance, so normally we grant relay > access using SASL authentication. > Additionally, we need to prevent as much as possible submissions > from unauthorized clients using stolen credentials (ie. viruses or > bots), so, as a further measure, we check source IPs against > Spamhaus RBL (I know that this might not be an exhaustive solution - > we have in fact other controls down the line). > > I'm using the following set of restrictions > (/etc/postfix/domain.hash is a list of recipent domains we don't > want to send mail to): > > smtpd_recipient_restrictions = > reject_rbl_client zen.spamhaus.org, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > check_recipient_access hash:/etc/postfix/domain.hash, > permit_sasl_authenticated, > reject_unauth_destination > > Everything works fine, except when one client's IP is blacklisted by > Spamhaus. In this case, we need to whitelist that IP - and that > should be obtainable with the following: > > smtpd_recipient_restrictions = > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > check_recipient_access hash:/etc/postfix/domain.hash, > check_client_access cidr:/etc/postfix/whitelist_client.cidr, > reject_rbl_client zen.spamhaus.org, > permit_sasl_authenticated, > reject_unauth_destination > > /etc/postfix/whitelist_client.cidr > 1.2.3.4/32 OK > > Moving up sender/rcpt restrictions I can enforce those checks to > whitelisted clients too. But (and that's my question) how can I > force SASL authentication to whitelisted clients? I couldn't figure > out a way to make Postfix evaluate the permit_sasl_authenticated > directive in those cases. > > Thanks a lot for your help! > > Fabio
Seems like the easiest solution is to put permit_sasl_authenticated BEFORE reject_rbl_client. Then no whitelisting is needed. -- Noel Jones
