Hello, I have a need to whitelist a specific sender domain (and any subdomain thereof) such that some of Postfix's normal smtpd_recipient_restrictions are bypassed. Specifically, I need for network blacklist checks to be skipped when the message originates from a specific domain (or any subdomain thereof).
Basically, a legitimate, external sender (whom I have nothing to do with and no control over) whose outgoing mail is handled via Network Solutions has ended-up on a few blacklists. I need for these messages to be delivered to recipients whose mail services we do host/control. The mail seems to come from *.myregisteredsite.com (that's the helo= value in Postfix's log), where * varies. To be clear, the sender's actual email address domain is completely different. (The myregisteredsite.com domain belongs to Network Solutions.) I have read through http://www.postfix.org/RESTRICTION_CLASS_README.html and it seems as though a check of this nature would be subject to SMTP sender address spoofing. I guess I can live with that, but I'm all ears if there is a way to harden the approach against spoofing. After consulting the relevant documentation, I still have several questions: 1.) Is smtpd_recipient_restrictions the correct directive to use for this purpose? 2.) Do I need to use the sender's SMTP server domain name? Or do I need to use the sender's proper email address domain (the portion after the local-part)? Is there any reason to create entries for both? 3.) What is the syntax required to whitelist all subdomains of the sender's parent domain? Would I simply use "example.com" (without the quotes, of course) to include all subdomains thereof, e.g., sub1.example.com, sub2.sub1.example.com, etc.? If so, is there a way to include *only* the top-level domain (and exclude any subdomains)? 4.) I want to ensure that whitelisted senders are subject to all of the normal checks, except for the three reject_ rules at the end (see config below). Should I move check_recipient_access down the list so that it's just above reject_rbl_client to achieve the desired result? Or might doing so have unintended consequences? 5.) Is there a reliable mechanism by which to test/ensure that the whitelist rule is functioning correctly? Something like this perhaps (where example.com is the whitelisted sender's domain)? postmap -q example.com mysql:/etc/postfix/mysql-virtual_recipient.cf Doing this returns "OK". Should I be looking for something specific in the mail log when mail arrives from a sender at the whitelisted domain, too? Here is the current value for the smtpd_recipient_restrictions directive (Postfix 2.7.0): smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_sender_login_mismatch, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org The contents of /etc/postfix/mysql-virtual_recipient.cf are as follows: user = myuser password = mypassword dbname = mydb table = mail_access select_field = access where_field = source additional_conditions = and type = 'recipient' and active = 'y' hosts = 127.0.0.1 And the `mail_access` DB table looks like this: source access type active myregisteredsite.com OK recipient y Thanks for any assistance with this. I really appreciate it. -Ben
