Postscreen: whitelist domain

I have postscreen setup according to the how-to. I use the following
configuration for the access list. As I understand it, I can only add IP
addresses or ranges to this list. Is it possible to whitelist the domain
name in the from address?


postscreen_access_list = permit_mynetworks,
         cidr:/etc/postfix/postscreen_access.cidr

On 10.11.17 10:33, [hidden email] wrote:
>I have postscreen setup according to the how-to. I use the following
>configuration for the access list. As I understand it, I can only add
>IP addresses or ranges to this list. Is it possible to whitelist the
>domain name in the from address?

no. postscreen is lighweight and runs so early that it only knows the client
IP, not the sender domain.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.

On 11/10/2017 10:33 AM, [hidden email] wrote:
> I have postscreen setup according to the how-to. I use the following
> configuration for the access list. As I understand it, I can only
> add IP addresses or ranges to this list. Is it possible to whitelist
> the domain name in the from address?
>
>
> postscreen_access_list = permit_mynetworks,
>         cidr:/etc/postfix/postscreen_access.cidr


It is not possible to whitelist by names in postscreen.  Postscreen
operates at a very early stage where the only information available
is the client IP.

Thanks, I thought that might be the case.

The problem I'm trying to solve is these messages in the log file:
postfix/postscreen[2938]: NOQUEUE: reject: CONNECT from
[91.238.9.63]:38101: too many connections

I think this must be from the limit I set up with
smtpd_client_connection_count_limit as described here?

postscreen_client_connection_count_limit
        ($smtpd_client_connection_count_limit)
               How  many  simultaneous  connections  any client is
               allowed to have with the postscreen(8) daemon.


Most of the time, this is not a problem. This IP for example is a
spammer and I want them to be limited. But I have a legitimate server
that needs to send a lot of email at once. Can I bypass this limit by
adding the sender's IP to postscreen_access.cidr? I've already added
their domain to smtpd_client_event_limit_exceptions.





On 2017-11-10 10:56 am, Noel Jones wrote:

Noel Jones:
Confirmed. By design, postscreen will do DNS lookups only from a
small number of DNSBL or DNSWL domains. Those servers are set up
to provide quick responses.

Making postscreen dependent on DNS lookups from random DNS servers
would disastrously limit the amount of traffic that postscreen can
handle.

        Wietse

[hidden email]:
> Most of the time, this is not a problem. This IP for example is a
> spammer and I want them to be limited. But I have a legitimate server
> that needs to send a lot of email at once. Can I bypass this limit by
> adding the sender's IP to postscreen_access.cidr? I've already added
> their domain to smtpd_client_event_limit_exceptions.

Yes, whitelist their network in the postscreen access table.

        Wietse