Postscreen: whitelist domain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Postscreen: whitelist domain

lists
I have postscreen setup according to the how-to. I use the following
configuration for the access list. As I understand it, I can only add IP
addresses or ranges to this list. Is it possible to whitelist the domain
name in the from address?


postscreen_access_list = permit_mynetworks,
         cidr:/etc/postfix/postscreen_access.cidr
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen: whitelist domain

Matus UHLAR - fantomas
On 10.11.17 10:33, [hidden email] wrote:
>I have postscreen setup according to the how-to. I use the following
>configuration for the access list. As I understand it, I can only add
>IP addresses or ranges to this list. Is it possible to whitelist the
>domain name in the from address?

no. postscreen is lighweight and runs so early that it only knows the client
IP, not the sender domain.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen: whitelist domain

Noel Jones-2
In reply to this post by lists
On 11/10/2017 10:33 AM, [hidden email] wrote:
> I have postscreen setup according to the how-to. I use the following
> configuration for the access list. As I understand it, I can only
> add IP addresses or ranges to this list. Is it possible to whitelist
> the domain name in the from address?
>
>
> postscreen_access_list = permit_mynetworks,
>         cidr:/etc/postfix/postscreen_access.cidr


It is not possible to whitelist by names in postscreen.  Postscreen
operates at a very early stage where the only information available
is the client IP.
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen: whitelist domain

lists
Thanks, I thought that might be the case.

The problem I'm trying to solve is these messages in the log file:
postfix/postscreen[2938]: NOQUEUE: reject: CONNECT from
[91.238.9.63]:38101: too many connections

I think this must be from the limit I set up with
smtpd_client_connection_count_limit as described here?

postscreen_client_connection_count_limit
        ($smtpd_client_connection_count_limit)
               How  many  simultaneous  connections  any client is
               allowed to have with the postscreen(8) daemon.


Most of the time, this is not a problem. This IP for example is a
spammer and I want them to be limited. But I have a legitimate server
that needs to send a lot of email at once. Can I bypass this limit by
adding the sender's IP to postscreen_access.cidr? I've already added
their domain to smtpd_client_event_limit_exceptions.





On 2017-11-10 10:56 am, Noel Jones wrote:

> On 11/10/2017 10:33 AM, [hidden email] wrote:
>> I have postscreen setup according to the how-to. I use the following
>> configuration for the access list. As I understand it, I can only
>> add IP addresses or ranges to this list. Is it possible to whitelist
>> the domain name in the from address?
>>
>>
>> postscreen_access_list = permit_mynetworks,
>>         cidr:/etc/postfix/postscreen_access.cidr
>
>
> It is not possible to whitelist by names in postscreen.  Postscreen
> operates at a very early stage where the only information available
> is the client IP.
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen: whitelist domain

Wietse Venema
In reply to this post by Noel Jones-2
Noel Jones:

> On 11/10/2017 10:33 AM, [hidden email] wrote:
> > I have postscreen setup according to the how-to. I use the following
> > configuration for the access list. As I understand it, I can only
> > add IP addresses or ranges to this list. Is it possible to whitelist
> > the domain name in the from address?
> >
> >
> > postscreen_access_list = permit_mynetworks,
> > ??????? cidr:/etc/postfix/postscreen_access.cidr
>
>
> It is not possible to whitelist by names in postscreen.  Postscreen
> operates at a very early stage where the only information available
> is the client IP.

Confirmed. By design, postscreen will do DNS lookups only from a
small number of DNSBL or DNSWL domains. Those servers are set up
to provide quick responses.

Making postscreen dependent on DNS lookups from random DNS servers
would disastrously limit the amount of traffic that postscreen can
handle.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen: whitelist domain

Wietse Venema
In reply to this post by lists
[hidden email]:
> Most of the time, this is not a problem. This IP for example is a
> spammer and I want them to be limited. But I have a legitimate server
> that needs to send a lot of email at once. Can I bypass this limit by
> adding the sender's IP to postscreen_access.cidr? I've already added
> their domain to smtpd_client_event_limit_exceptions.

Yes, whitelist their network in the postscreen access table.

        Wietse