I really should have figured this out ages ago, but...
Quite simply, there exits a small number of organizations that
run afoul of my various smtpd_recipient_restrictions and/or my
smtpd_helo_restrictions, but from which I need to be able to
receive mail anyway. (A small number of companies get snagged
on reject_unknown_helo_hostname due to having botched the HELO
strings on their outbound mail servers, and also, in the case of
Microsoft, they seem to have managed to get numerous of their
IPs listed on Spamcop.)
So anyway, I just now added the following to my pre-existing
list of smtpd_recipient_restrictions:
check_client_access cidr:/usr/local/etc/postfix/blacklists/cidr-whitelist
where my cidr-whitelist file currently contains just:
# Microsoft
65.52.0.0/14 OK
Of course, I placed this new check_client_access clause above all of
the other/pre-existing clauses in my smtpd_recipient_restrictions.
I just want to ask if I have done the proper thing here, because I've
never done this before.
My hope is that I haven't inadvertantly opened up a relaying hole or
anything awful like that.
One other question...
Currently, I have the following:
smtpd_helo_restrictions =
permit_mynetworks
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
In order to make sure that my new CIDR whitelist will allow in even
mail from goofed-up sites that have botched their HELO strings, should
I be moving the three reject_*helo_hostname clauses shown above down
into my smtpd_recipient_restrictions... you know... to a position
that comes *after* my new check_client_access clause?
