RE: whitelist for single reject

[Michael Fox]

> > Suppose I have the following general case:
> >
> > /etc/postfix/whitelist1:
> >     <host_a>        OK
> >     <host_b>        OK
> >
> > /etc/postfix/whitelist2:
> >     <host_c>        OK
> >
> > How would I accomplish the following?
> >
> > smtpd_*_restrictions =
> >     . . .
> >     reject_[type1] . . .  (except for hosts in whitelist1)
> >     reject_[type2] . . .  (except for hosts in whitelist2)
> 
> 
> main.cf:
>     smtpd_restriction_classes = whitelist1, whitelist2, unwhitelisted
>     whitelist1 = reject_[type2]
>     whitelist2 = reject_[type1]
>     unwhitelisted = reject_[type1], reject_[type2]
> 
>     smtpd_*_restrictions =
>        check_client_access pcre:/etc/postfix/whitelisting
>        ...   (NOT including reject_[type1] or reject_[type2])
> 
> /etc/postfix/whitelisting:
>     /^host_a$/   whitelist1
>     /^host_b$/   whitelist1
>     /^host_c$/   whitelist2
>     /.*/         unwhitelisted
 
Ah.  OK.  I see what you're doing.  But, to make the logic more like

        smtpd_*_restrictions =
                . . .
                reject_[type1] . . .  (except for hosts in whitelist1)
                reject_[type2] . . .  (except for hosts in whitelist2)

and to take into account Viktor's suggestion for CIDR tables, does this
work?

${config_directory}/main.cf:
        smtpd_restriction_classes = reject1, reject2
        reject1 = reject_[type1]
        reject2 = reject_[type2]

        smtpd_*_restrictions = 
                . . .
                check_client_access cidr:${config_directory}/reject1_map
                check_client_access cidr:${config_directory}/reject2_map
                . . .

${config_directory}/reject1_map
        # These hosts are whitelisted from this test only
        192.0.2.1       OK
        192.0.2.2       OK
        # Everyone else gets this test
        0.0.0.0/0       reject1

${config_directory}/reject2_map
        # These hosts are whitelisted from this test only
        192.0.2.2       OK
        192.0.2.3       OK
        # Everyone else gets this test
        0.0.0.0/0       reject2


So:
-- host 192.0.2.1 is exempted from the first test but must undergo the
second test
-- host 192.0.2.2 is exempted from both tests
-- host 192.0.2.3 is must undergo the first test but is exempted from the
second test
-- all other hosts undergo both tests

Is that correct?


> The reason I'm specifying 'whitelisting' map as pcre type instead of
> hash is that I don't think there's any way to make a hash map default to
> a restriction class or restriction list. One way to read the access(5)
> man page implies that '.' would match any hostname not matched, but I
> have not tried that.

OK.  Understood.

Michael