On 3/1/2014 12:17 PM, Ben Johnson wrote: > Hello, > > I have a need to whitelist a specific sender domain (and any subdomain > thereof) such that some of Postfix's normal smtpd_recipient_restrictions > are bypassed. Specifically, I need for network blacklist checks to be > skipped when the message originates from a specific domain (or any > subdomain thereof).
Postfix processes restriction in the order you specify. First match wins. So your whitelist entry must occur before anything that might reject the message. **IMPORTANT NOTE** if the client is being rejected by postscreen, special measures will need to be taken. It would have been nice if you included full "postconf -n" output and a sample log of the unwanted reject so we would know for sure. The rest of this message assumes the reject is not happening in postscreen. > > Basically, a legitimate, external sender (whom I have nothing to do with > and no control over) whose outgoing mail is handled via Network > Solutions has ended-up on a few blacklists. I need for these messages to > be delivered to recipients whose mail services we do host/control. The > mail seems to come from *.myregisteredsite.com (that's the helo= value > in Postfix's log), where * varies. To be clear, the sender's actual > email address domain is completely different. (The myregisteredsite.com > domain belongs to Network Solutions.) > > I have read through http://www.postfix.org/RESTRICTION_CLASS_README.html > and it seems as though a check of this nature would be subject to SMTP > sender address spoofing. I guess I can live with that, but I'm all ears > if there is a way to harden the approach against spoofing. A restriction class is probably overkill for this. Restriction classes are useful for two-factor processing, such as "allow this specific client only to this specific recipient", or "allow this sender address only from this client". > After consulting the relevant documentation, I still have several questions: > > 1.) Is smtpd_recipient_restrictions the correct directive to use for > this purpose? Yes, although if you're using any of the other smtpd_*_restrictions sections you'll need to whitelist the sender there too. > > 2.) Do I need to use the sender's SMTP server domain name? Or do I need > to use the sender's proper email address domain (the portion after the > local-part)? Is there any reason to create entries for both? Probably using the sender's email address domain is appropriate for this particular application. Although sender addresses are easily forged, this isn't usually a big problem unless it's a popular forgery target such as a bank or one of the free mail services. You should use a check_sender_access with the sender's email address domain. > > 3.) What is the syntax required to whitelist all subdomains of the > sender's parent domain? Would I simply use "example.com" (without the > quotes, of course) to include all subdomains thereof, e.g., > sub1.example.com, sub2.sub1.example.com, etc.? If so, is there a way to > include *only* the top-level domain (and exclude any subdomains)? subdomain matching is controlled by the http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains Default postfix is to match subdomains in access maps, so example.com will match example.com and all subdomains. To match only the top-level domain, you can remove set parent_domain_matches_subdomains = ie. set it empty, and then specify in all your maps example.com # match only example.com .example.com # match subdomains of example.com, but not example.com > > 4.) I want to ensure that whitelisted senders are subject to all of the > normal checks, except for the three reject_ rules at the end (see config > below). Should I move check_recipient_access down the list so that it's > just above reject_rbl_client to achieve the desired result? Or might > doing so have unintended consequences? Put your check_sender_access statement just above the reject_rbl_* statements. > > 5.) Is there a reliable mechanism by which to test/ensure that the > whitelist rule is functioning correctly? Something like this perhaps > (where example.com is the whitelisted sender's domain)? > > postmap -q example.com mysql:/etc/postfix/mysql-virtual_recipient.cf Yes, that will test the map. > > Doing this returns "OK". Should I be looking for something specific in > the mail log when mail arrives from a sender at the whitelisted domain, too? If you have postfix 2.10 or newer, see: http://www.postfix.org/postconf.5.html#smtpd_log_access_permit_actions Otherwise, postfix logs nothing special for permit/OK actions. The lack of a reject indicates it's working. > > > Here is the current value for the smtpd_recipient_restrictions directive > (Postfix 2.7.0): > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, > reject_sender_login_mismatch, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > check_policy_service unix:private/policy-spf, > check_policy_service inet:127.0.0.1:10023, # whitelist goes here: check_sender_access maptype:/path/to/map > reject_rbl_client zen.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org > > The contents of /etc/postfix/mysql-virtual_recipient.cf are as follows: -- Noel Jones
