10.06.2014 05:02, Stan Hoeppner wrote: > On 6/9/2014 7:12 PM, Ronald F. Guilmette wrote: >> I really should have figured this out ages ago, but... >> >> Quite simply, there exits a small number of organizations that >> run afoul of my various smtpd_recipient_restrictions and/or my >> smtpd_helo_restrictions, but from which I need to be able to >> receive mail anyway. (A small number of companies get snagged >> on reject_unknown_helo_hostname due to having botched the HELO >> strings on their outbound mail servers, and also, in the case of >> Microsoft, they seem to have managed to get numerous of their >> IPs listed on Spamcop.) >> >> So anyway, I just now added the following to my pre-existing >> list of smtpd_recipient_restrictions: >> >> check_client_access cidr:/usr/local/etc/postfix/blacklists/cidr-whitelist >> >> where my cidr-whitelist file currently contains just: >> >> # Microsoft >> 65.52.0.0/14 OK >> >> Of course, I placed this new check_client_access clause above all of >> the other/pre-existing clauses in my smtpd_recipient_restrictions. >> >> I just want to ask if I have done the proper thing here, because I've >> never done this before. >> >> My hope is that I haven't inadvertantly opened up a relaying hole or >> anything awful like that.
It depends on the postfix version. Older postfix, which didn't have smtpd_relay_restrictions, will act as an open relay for these networks, because you allow them the same way you accept_mynetworks, so it becomes more or less your networks. You should put reject_unauth_destination before accepting these. More recent postfix, which has separate smtpd_relay_restrictions, will be saner (provided you don't prepend this whietelist to relay_restrictions too :). For other smtpd_*_restrictions, it does not really matter. >> One other question... >> >> Currently, I have the following: >> >> smtpd_helo_restrictions = >> permit_mynetworks >> reject_non_fqdn_helo_hostname >> reject_invalid_helo_hostname >> reject_unknown_helo_hostname >> >> In order to make sure that my new CIDR whitelist will allow in even >> mail from goofed-up sites that have botched their HELO strings, should >> I be moving the three reject_*helo_hostname clauses shown above down >> into my smtpd_recipient_restrictions... you know... to a position >> that comes *after* my new check_client_access clause? > > > Yes. And if you have other separate smtpd_foo_restrictions sections you > should move those restriction parameters under > smtpd_recipient_restrictions as well. This will give you precise > control over whitelisting and blacklisting order. I'm sorry to say that, but this is wrong. All smtpd_*_restrictions give precise control over all the restrictions and their order, if you move it all to one stage it becomes clumsier. Also, moving stuff which should be run at connect or hello time to recipient time is kinda wrong. Such a suggestion - to move everything to recipient_restriction - can be given to a novice postfix user (or by novice postfix user), who does not understand smtp protocol stages and this smtpd_*_restrictions mechanics, both of which are kinda trivial. Thanks, /mjt
