On 6/11/2016 2:56 AM, Вадим Бажов wrote: > Hi all. > postfix 2.6, smtpd_delay_reject = yes. > > Need to implement a total permissive whitelist for 'big bosses' by > *ip-adresses, email adresses, email domains*. > So i need to use both check_client_access (for IPs whitelistings) > and check_sender_access (for emails and domains whitelistings).
check_client_access checks either the IP address or the verified client hostname. This is very hard to spoof and is the preferred way to whitelist. check_sender_access checks the envelope sender email address, or domain part of the envelope sender address. This is very easy to spoof; avoid sender based whitelists unless you have no other way to whitelist some particular message. > Or can i use IP adresses in check_sender_access ? No, the IP is not part of the envelope sender address. > > smtpd_delay_reject delays all checking until RCPT_TO stage but, > anyway, all the checkings will made step by step in their original > order. (in that order: client, helo, sender, recipient > restrictions). Right? Yes. > Since permit action in access tables (action OK) doesn't stop > checkings for particular email but skips a particular context, i > need to insert check_* actions on every stage, at: > |smtpd_client_restrictions | > |smtpd_helo_restrictions| > |smtpd_sender_restrictions| > |smtpd_recipient_restrictions| > > Right? Only if you have rules in each section that might reject mail. Many folks prefer to put all their restrictions in smtpd_recipient_restrictions specifically to make whitelisting easier. > > So i end up with following config: > > |smtpd_client_restrictions = check_client_access > hash:/etc/postfix/ip_wl ... | > |smtpd_helo_restrictions = |||check_client_access > hash:/etc/postfix/ip_wl |check_sender_access > hash:/etc/postfix/email_wl ...| > |smtpd_sender_restrictions = |||check_client_access > hash:/etc/postfix/ip_wl |check_sender_access > hash:/etc/postfix/email_wl ...| Acceptable, but avoid whitelisting by sender address. > |smtpd_recipient_restrictions = |||check_client_access > hash:/etc/postfix/ip_wl |check_sender_access > hash:/etc/postfix/email_wl ... | > Am i right ? No, the smtpd_recipient_restrictions section must start with smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... whitelists here ... ... restrictions here ... > 1. Do i need (will it work) to insers |||check_sender_access at > ||smtpd_client_restrictions block ? Yes and yes. > 2.Is check_sender_access works under smtpd_helo_restrictions ? Yes. With the default smtpd_delay_reject=yes, any restriction can be used in any section. > 3. I know about a danger to allow an open relay for whitelisted > clients, but they are 'big bosses' as I said an we can't loose their > emails. So what if i start each stage with > '||reject_unauth_destination' command ? smtpd_recipient_restrictions *must* have reject_unauth_destination before any whitelists. This is safe for all legit mail since it will not affect any mail addressed to you. > | > PS: Whats the difference between permit_mynetworks and > check_client_access if i need to permit client's IP ? permit_mynetworks is used to allow local/authorized clients to relay through your server. permit_mynetworks must not be used for whitelisting clients not authorized to relay. Also, clients listed in mynetworks are subjected to different header rewriting rules. This may cause confusion or break digital signatures on non-local mail. -- Noel Jones
