Re: whitelist for single reject

Viktor Dukhovni Wed, 26 Dec 2018 23:08:15 -0800

> On Dec 27, 2018, at 12:31 AM, Bill Cole 
> <postfixlists-070...@billmail.scconsult.com> wrote:
> 
> main.cf:
>   smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
>   whitelist1 = reject_[type2]
>   whitelist2 = reject_[type1]
>   unwhitelisted = reject_[type1], reject_[type2]
> 
>   smtpd_*_restrictions =
>      check_client_access pcre:/etc/postfix/whitelisting
>      ...   (NOT including reject_[type1] or reject_[type2])
> 
> /etc/postfix/whitelisting:
>   /^host_a$/   whitelist1
>   /^host_b$/   whitelist1
>   /^host_c$/   whitelist2
>   /.*/         unwhitelisted


Since hostname based whitelists are fragile in the face of transient
DNS failures, and many users struggle with regular expression correctness.
A CIDR map is more appropriate here:

        192.0.2.1       whitelist1
        192.0.2.2       whitelist2
        ....
        0.0.0.0/0       unwhitelisted

  check_client-access cidr:${config_directory}/wlist.cidr

-- 
        Viktor.

Re: whitelist for single reject

Reply via email to