On 9/18/2014 6:19 AM, li...@rhsoft.net wrote: > or making it simpler and put all other restrictions in > "smtpd_recipient_restrictions" > and only leaving that two - this could be reduced to one rule if > "check_helo_access" > would accept the PTR-Regexp for DUNNOS > > according to http://www.postfix.org/postconf.5.html#check_helo_access that's > not the case > so the question remains: how can i skip "check_helo_access" by > "check_reverse_client_hostname_access" > > smtpd_helo_restrictions = > check_reverse_client_hostname_access > proxy:regexp:/etc/postfix/whitelist_helo_by_ptr.cf > check_helo_access proxy:regexp:/etc/postfix/blacklist_helo.cf > > Am 18.09.2014 um 13:02 schrieb li...@rhsoft.net: >> postfix/smtpd[29991]: warning: restriction >> check_reverse_client_hostname_access returns OK >> postfix/smtpd[29991]: warning: this is not allowed for security reasons >> postfix/smtpd[29991]: warning: use DUNNO instead of OK if you want to make >> an exception
A ptr is easily faked, so postfix does not allow you to use an unverified ptr for whitelisting. check_helo_access is a much older feature, predating that safety check. Your options are: - find another client property to whitelist on, such as verified ptr or IP address with check_client_access. - use a policy server for an unsafe response. Not recommended. - patch the source to remove the safety check. Not recommended. -- Noel Jones >> _____________________________________________________________________________ >> >> how can one skip all following rules in "smtpd_helo_restrictions" and >> so apply only "smtpd_recipient_restrictions"? >> >> in general i understand the reason for that but given i want to skip >> all the other checks in "smtpd_helo_restrictions" would DUNNO in >> "check_reverse_client_hostname_access" which only contains "allows" >> not skip only the PTR checks but not the following ones and so have >> no function at all? >> >> * check_sender_access >> * reject_non_fqdn_helo_hostname >> * reject_invalid_helo_hostname >> * check_helo_access >> >> the idea here is to have rules to reject by HELO but at the same >> time skip them for several reasons and the "real" restrictions >> are present in "smtpd_recipient_restrictions" >> _____________________________________________________________________________ >> >> smtpd_helo_restrictions = >> check_reverse_client_hostname_access >> proxy:regexp:/etc/postfix/whitelist_helo_by_ptr.cf >> check_sender_access proxy:hash:/etc/postfix/whitelist_sender.cf >> reject_non_fqdn_helo_hostname >> reject_invalid_helo_hostname >> check_helo_access proxy:regexp:/etc/postfix/blacklist_helo.cf
