How To Whitelist Hosts/IP Addresses In Postfix

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2008-06-10 11:07. :: Postfix

How To Whitelist Hosts/IP Addresses In Postfix

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/06/2008

If you are administrating a mail server and use blacklists to block spam (like in this article: How To Block Spam Before It Enters The Server (Postfix)), you probably know this problem: from time to time your customers complain that they cannot receive emails from certain freemailers. Most often this happens because a freemailer was abused to send out spam and therefore got blacklisted. This short guide shows how you can whitelist such a mail server in Postfix to make your customers happy again.

I do not issue any guarantee that this will work for you!

If a blacklisted server tries to send mail to your server, you should find something like this in your mail log:

SMTP error from remote mail server after RCPT TO:<bla@example.com>: host mail.example.com [4.3.2.1]: 554 5.7.1 Service unavailable; Client host [1.2.3.4] blocked using dnsbl.sorbs.net; Currently Sending Spam See: http://www.sorbs.net/lookup.shtml?1.2.3.4

In this example, the mail server 1.2.3.4 is blacklisted and therefore blocked.

To whitelist that server, create the file /etc/postfix/rbl_override where you list all IP addresses or host names (one per line!) that you want to whitelist:

vi /etc/postfix/rbl_override

1.2.3.4 OK
1.2.3.5 OK
mail.freemailer.tld OK

After you've created/modified that file, you must run

postmap /etc/postfix/rbl_override

Next open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add check_client_access hash:/etc/postfix/rbl_override to that parameter, after reject_unauth_destination, but before the first blacklist.

So if smtpd_recipient_restrictions looks like this now...

vi /etc/postfix/main.cf

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               reject_rbl_client multi.uribl.com,
                               reject_rbl_client dsn.rfc-ignorant.org,
                               reject_rbl_client dul.dnsbl.sorbs.net,
                               reject_rbl_client list.dsbl.org,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               reject_rbl_client bl.spamcop.net,
                               reject_rbl_client dnsbl.sorbs.net,
                               reject_rbl_client cbl.abuseat.org,
                               reject_rbl_client ix.dnsbl.manitu.net,
                               reject_rbl_client combined.rbl.msrbl.net,
                               reject_rbl_client rabl.nuclearelephant.com,
                               permit
[...]

... modify it so that it looks as follows:

[...]
smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_client_access hash:/etc/postfix/rbl_override,
                               reject_rbl_client multi.uribl.com,
                               reject_rbl_client dsn.rfc-ignorant.org,
                               reject_rbl_client dul.dnsbl.sorbs.net,
                               reject_rbl_client list.dsbl.org,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               reject_rbl_client bl.spamcop.net,
                               reject_rbl_client dnsbl.sorbs.net,
                               reject_rbl_client cbl.abuseat.org,
                               reject_rbl_client ix.dnsbl.manitu.net,
                               reject_rbl_client combined.rbl.msrbl.net,
                               reject_rbl_client rabl.nuclearelephant.com,
                               permit
[...]

That's it! Restart Postfix, and you're done:

/etc/init.d/postfix restart

 

Links


Copyright © 2008 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
whitelisting a subnet
Submitted by Axel (not registered) on Fri, 2010-03-19 08:16.

Just thought I should mention that you can whitelist an entire subnet with:
111.222.33 OK

This does not work:
111.222.33.0/24 OK
111.222.33.* OK

regards
axel

reply | view as pdf view as pdf
Considering DNSWL
Submitted by AlArenal (registered user) on Tue, 2008-06-10 14:44.

Sometimes you need to do manual whitelisting for mail users whose customers' admins don't respond to your complaints about their server settings.

Another option to consider ist automatic whitelisting by using the hand-crafted DNSWL ( http://www.dnswl.org/ ). You should also consider requesting to get added to DNSWL.

I use a simple shell script named dnswl-update.sh as a cron job to sync the data (see documentation for use of X-REPLACEME substitution):

#!/bin/sh
rsync --times rsync1.dnswl.org::dnswl/postfix-* /mypath/
cat /mypath/postfix-dnswl-header | sed "s/X-REPLACEME/X-MYSTRING/" > /etc/postfix/dnswl-header
cp /mypath/postfix-dnswl-permit /etc/postfix/dnswl-permit

In /etc/postfix/main.cf I added these two lines as first check_* commands within the smtpd_recipient_restrictions :

smtpd_recipient_restrictions =
  [ ... ]
  check_client_access cidr:/etc/postfix/dnswl-header,
  check_client_access cidr:/etc/postfix/dnswl-permit,
  [ ... ]

After that  you restart Postfix.

/etc/init.d/postfix restart

 My cron entry looks something like this and there is no need to restart or reload Postfix afterwards:

7 5,18 * * * /path-to-script/dnswl-update.sh &> /dev/null
reply | view as pdf view as pdf