On 6/9/2014 7:12 PM, Ronald F. Guilmette wrote: > I really should have figured this out ages ago, but... > > Quite simply, there exits a small number of organizations that > run afoul of my various smtpd_recipient_restrictions and/or my > smtpd_helo_restrictions, but from which I need to be able to > receive mail anyway. (A small number of companies get snagged > on reject_unknown_helo_hostname due to having botched the HELO > strings on their outbound mail servers, and also, in the case of > Microsoft, they seem to have managed to get numerous of their > IPs listed on Spamcop.) > > So anyway, I just now added the following to my pre-existing > list of smtpd_recipient_restrictions: > > check_client_access cidr:/usr/local/etc/postfix/blacklists/cidr-whitelist > > where my cidr-whitelist file currently contains just: > > # Microsoft > 65.52.0.0/14 OK > > Of course, I placed this new check_client_access clause above all of > the other/pre-existing clauses in my smtpd_recipient_restrictions. > > I just want to ask if I have done the proper thing here, because I've > never done this before. > > My hope is that I haven't inadvertantly opened up a relaying hole or > anything awful like that. > > One other question... > > Currently, I have the following: > > smtpd_helo_restrictions = > permit_mynetworks > reject_non_fqdn_helo_hostname > reject_invalid_helo_hostname > reject_unknown_helo_hostname > > In order to make sure that my new CIDR whitelist will allow in even > mail from goofed-up sites that have botched their HELO strings, should > I be moving the three reject_*helo_hostname clauses shown above down > into my smtpd_recipient_restrictions... you know... to a position > that comes *after* my new check_client_access clause?
Yes. And if you have other separate smtpd_foo_restrictions sections you should move those restriction parameters under smtpd_recipient_restrictions as well. This will give you precise control over whitelisting and blacklisting order. Cheers, Stan
