On Mon, 2019-04-15 at 09:43 -0600, Shawn Heisey wrote: > Something I did pretty recently on the various restrictions in main.cf > was add a spam_lovers access file that allows me to whitelist certain > recipients so that messages to them will bypass all the filtering. > > I did this because I've had people tell me about situations where they > did not receive an important email, usually from a relative. When I > look into these problems, it's almost always something basic, like > reverse DNS. And I find that a whole lot of people will not lift a > finger to fix the problems with their mail server. > > For users who want to receive email from servers that are run by these > bad admins, I can add them to the spam_lovers file and redo postmap on > it. Their incoming email will bypass almost every filter I've got. > They don't even seem to mind the massive increase in spam that this creates. > > But I've realized that this config doesn't affect postscreen. Sometimes > the sender will be on a server that has been blacklisted by an RBL and > either the admin won't try to fix the problem or they are unable to get > the problem fixed. > > So now we come to my question: Can I whitelist a recipient so email to > that user will always pass postscreen? I tried to find an answer with > google and came up empty. > > Here's the full restriction config from main.cf. If anybody sees any > problems with that config, I would appreciate knowing that too: > > ---------- > smtpd_relay_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > defer_unauth_destination > > smtpd_client_restrictions = > check_recipient_access hash:/etc/postfix/spam_lovers, > check_sender_access hash:/etc/postfix/always_sender_access, > permit_sasl_authenticated, > permit_mynetworks, > check_client_access cidr:/etc/postfix/client_access, > check_sender_access hash:/etc/postfix/sender_access, > reject_unknown_reverse_client_hostname, > reject_unknown_client_hostname > > smtpd_helo_restrictions = > check_recipient_access hash:/etc/postfix/spam_lovers, > check_sender_access hash:/etc/postfix/always_sender_access, > permit_sasl_authenticated, > permit_mynetworks, > check_client_access cidr:/etc/postfix/client_access, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname > > smtpd_sender_restrictions = > check_recipient_access hash:/etc/postfix/spam_lovers, > check_sender_access hash:/etc/postfix/always_sender_access, > permit_sasl_authenticated, > permit_mynetworks, > check_sender_access hash:/etc/postfix/sender_access, > check_client_access cidr:/etc/postfix/client_access, > reject_non_fqdn_sender, > reject_unknown_sender_domain > > smtpd_recipient_restrictions = > check_recipient_access hash:/etc/postfix/spam_lovers, > check_sender_access hash:/etc/postfix/always_sender_access, > permit_sasl_authenticated, > permit_mynetworks, > check_sender_access hash:/etc/postfix/sender_access, > check_recipient_access hash:/etc/postfix/recipient_access, > check_client_access cidr:/etc/postfix/client_access, > sleep 2, > reject_non_fqdn_recipient, > reject_unauth_destination, > reject_unknown_recipient_domain, > reject_unlisted_recipient, > check_policy_service unix:private/policy-spf > > smtpd_data_restrictions = > permit_mynetworks, > reject_unauth_pipelining, > reject_multi_recipient_bounce > ---------- > > Thanks, > Shawn
Sure. You want postscreen_access_list, which defaults to permit_mynetworks. Just add it to your config with a lookup table like so: postscreen_access_list = permit_mynetworks, hash:/etc/postfix/postscreen_access_list ~# cat /etc/postfix/postscreen_access_list 168.100.1.3 permit # camomile.cloud9.net 2604:8d00:0:1::3 permit # camomile.cloud9.net 168.100.1.4 permit # russian-caravan.cloud9.net 2604:8d00:0:1::4 permit # russian-caravan.cloud9.net 168.100.1.7 permit # english-breakfast.cloud9.net 2604:8d00:0:1::7 permit # english-breakfast.cloud9.net hth, -Jim P.
