Postfix Whitelist on Global Filters no Working

Discussion in 'Installation/Configuration' started by W-C, Apr 10, 2019.

  1. W-C

    W-C Member

    Hello,

    We are using the following parameters on main.cf smtpd_client_restrictions=
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client dnsbl.sorbs.net

    I tought if I used the Postfix Whitelist on Global filters would allow the sender domain to sent the email even if the IP of the sender is on blacklists but is not working . Is there anyway I can whitelist the domain in order to not delete the "reject_rbl_client dnsbl.sorbs.net" on the smtp_client_restrictions?

    Thanks in advance
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    smtpd_client_restrictions is to restrict smtp clients, and is not considering the sender domain. The check_client_access lookup will match against the smtp client's hostname or parent domains, if that's helpful (probably not so much, but on some systems or a dedicated mail server the hostname might also match the sender domain).

    What I would recommend is not use any rbl's directly in smtpd_client_restrictions, but instead implement postscreen's weighted rbls, and use postwhite to bypass postscreen for domains according to their spf record as needed. See https://git.ispconfig.org/ispconfig/ispconfig3/issues/4239 for example.

    An alternative solution would be to add a check_sender_access map ahead of the rbl rejection which allows senders from that domain. Something like:
    Code:
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, permit_mynetworks, check_sender_access texthash:/etc/postfix/smtpd_client_sender_access, permit_sasl_authenticated, reject_rbl_client dnsbl.sorbs.net
    Then add your allowed domains to /etc/postfix/smtpd_client_sender_access (eg. 'sender.tld OK').
     
    W-C likes this.
  3. W-C

    W-C Member

    Hello Jesse,

    I'd follow your suggestion and let you know how it works...

    Thanks a lot for you help.
     

Share This Page