exclude specific external IP from postfix blacklists

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

exclude specific external IP from postfix blacklists

Poliman - Serwis
I have a problem with specific IP 91.218.208.22. People from network behind this address can't connect to mailserver, because - as I found out - this ip address is listed. Not exactly this specific address but whole C class. I saw Postfix uses blacklists in own configuration but I would like to exclude only this one IP.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Matus UHLAR - fantomas
On 11.06.18 11:31, Poliman - Serwis wrote:
>I have a problem with specific IP 91.218.208.22. People from network behind
>this address can't connect to mailserver, because - as I found out - this
>ip address is listed.

listed where?

> Not exactly this specific address but whole C class.
>I saw Postfix uses blacklists in own configuration but I would like to
>exclude only this one IP.

find the rule blocking 91.218.208.22 and insert another one allowing this IP
in front of the rule.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Wietse Venema
In reply to this post by Poliman - Serwis
Poliman - Serwis:
> I have a problem with specific IP 91.218.208.22. People from network behind
> this address can't connect to mailserver, because - as I found out - this
> ip address is listed. Not exactly this specific address but whole C class.
> I saw Postfix uses blacklists in own configuration but I would like to
> exclude only this one IP.

There are many ways to do this.  Here is one:

    ...
    reject_unauth_destination
    check_client_access inline:{91.218.208.22=ok, 1.2.3.4=OK}
    reject_rbl_client foo.bar.org
    ...

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Poliman - Serwis
@Matus
Listed on lists related with Postfix, from my main.cf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

@Wietse
Currently I have in main.cf:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

Should this line be modified as:
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok } mysql:/etc/postfix/mysql-virtual_client.cf
OR
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, inline:{91.218.208.22=ok }

Btw I am curious - is it possible to turn off ip verification only for clients?

2018-06-11 12:53 GMT+02:00 Wietse Venema <[hidden email]>:
Poliman - Serwis:
> I have a problem with specific IP 91.218.208.22. People from network behind
> this address can't connect to mailserver, because - as I found out - this
> ip address is listed. Not exactly this specific address but whole C class.
> I saw Postfix uses blacklists in own configuration but I would like to
> exclude only this one IP.

There are many ways to do this.  Here is one:

    ...
    reject_unauth_destination
    check_client_access inline:{91.218.208.22=ok, 1.2.3.4=OK}
    reject_rbl_client foo.bar.org
    ...

        Wietse



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Matus UHLAR - fantomas
On 11.06.18 15:17, Poliman - Serwis wrote:
>Listed on lists related with Postfix, from my main.cf:
>smtpd_recipient_restrictions = permit_mynetworks,
>permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
>zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
>mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
>mysql-virtual_policy_greylist.cf

- I recommend putting reject_rbl_client zen.spamhaus.org at the end of rules

- put check_client_access in front of reject_rbl_client, one that will allow
   IP 91.218.208.22

>@Wietse
>Currently I have in main.cf:
>smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
>mysql-virtual_client.cf

>Should this line be modified as:
>smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok }
>mysql:/etc/postfix/mysql-virtual_client.cf
>OR
>smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
>mysql-virtual_client.cf, inline:{91.218.208.22=ok }

it's not possible to use two parameters for check_client_access
- there must be two different check_client_access rules.

But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions

>Btw I am curious - is it possible to turn off ip verification only for
>clients?

for what clients? for your customers?
and which kind of IP verification?

>> Poliman - Serwis:
>> > I have a problem with specific IP 91.218.208.22. People from network
>> > behind
>> > this address can't connect to mailserver, because - as I found out - this
>> > ip address is listed. Not exactly this specific address but whole C
>> > class.
>> > I saw Postfix uses blacklists in own configuration but I would like to
>> > exclude only this one IP.

>2018-06-11 12:53 GMT+02:00 Wietse Venema <[hidden email]>:
>> There are many ways to do this.  Here is one:
>>
>>     ...
>>     reject_unauth_destination
>>     check_client_access inline:{91.218.208.22=ok, 1.2.3.4=OK}
>>     reject_rbl_client foo.bar.org
>>     ...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Poliman - Serwis
Thank you for answer. If in main.cf must be two different check_client_access rules, so I should do:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf 
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok}
or maybe
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, check_client_access inline:{91.218.208.22=ok}

Am I right?

Hmm, if above won't help, how to configure smtpd_recipient_restrictions to unblock this specific ip 91.218.208.22 ?


2018-06-11 16:24 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On 11.06.18 15:17, Poliman - Serwis wrote:
Listed on lists related with Postfix, from my main.cf:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
mysql-virtual_policy_greylist.cf

- I recommend putting reject_rbl_client zen.spamhaus.org at the end of rules

- put check_client_access in front of reject_rbl_client, one that will allow
  IP 91.218.208.22

@Wietse
Currently I have in main.cf:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf

Should this line be modified as:
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok }
mysql:/etc/postfix/mysql-virtual_client.cf
OR
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf, inline:{91.218.208.22=ok }

it's not possible to use two parameters for check_client_access
- there must be two different check_client_access rules.

But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions

Btw I am curious - is it possible to turn off ip verification only for
clients?

for what clients? for your customers?
and which kind of IP verification?

Poliman - Serwis:
> I have a problem with specific IP 91.218.208.22. People from network
> behind
> this address can't connect to mailserver, because - as I found out - this
> ip address is listed. Not exactly this specific address but whole C
> class.
> I saw Postfix uses blacklists in own configuration but I would like to
> exclude only this one IP.

2018-06-11 12:53 GMT+02:00 Wietse Venema <[hidden email]>:
There are many ways to do this.  Here is one:

    ...
    reject_unauth_destination
    check_client_access inline:{91.218.208.22=ok, 1.2.3.4=OK}
    reject_rbl_client foo.bar.org
    ...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Matus UHLAR - fantomas
On 12.06.18 07:32, Poliman - Serwis wrote:

>Thank you for answer. If in main.cf must be two different
>check_client_access rules, so I should do:
>smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
>virtual_client.cf
>smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok}
>or maybe
>smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
>virtual_client.cf, check_client_access inline:{91.218.208.22=ok}
>
>Am I right?

Neither one. as I said before:

"But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions"

That means, you don't have to play with smtpd_client_restrictions.

>Hmm, if above won't help, how to configure smtpd_recipient_restrictions to
>unblock this specific ip 91.218.208.22 ?

If you want to configure smtpd_recipient_restrictions (un)block an IP, you
must put proper "check_client_access" to smtpd_recipient_restrictions,
in front of the rule that blocks that IP.

I'll keep the rest below undeleted because it still applies.

I just add that I prefer using hash or cidr tables for these cases instead
of inline access lists - it's easier to ad whitelisted IPs to those tables.

>2018-06-11 16:24 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
>
>> On 11.06.18 15:17, Poliman - Serwis wrote:
>>
>>> Listed on lists related with Postfix, from my main.cf:
>>> smtpd_recipient_restrictions = permit_mynetworks,
>>> permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
>>> zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
>>> mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
>>> mysql-virtual_policy_greylist.cf
>>>
>>
>> - I recommend putting reject_rbl_client zen.spamhaus.org at the end of
>> rules
>>
>> - put check_client_access in front of reject_rbl_client, one that will
>> allow
>>   IP 91.218.208.22
>>
>>> @Wietse
>>> Currently I have in main.cf:
>>> smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
>>> mysql-virtual_client.cf
>>>
>>
>>> Should this line be modified as:
>>> smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok }
>>> mysql:/etc/postfix/mysql-virtual_client.cf
>>> OR
>>> smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
>>> mysql-virtual_client.cf, inline:{91.218.208.22=ok }
>>>
>>
>> it's not possible to use two parameters for check_client_access
>> - there must be two different check_client_access rules.
>>
>> But it won't help you in smtpd_client_restrictions, since the client is
>> rejected later in smtpd_recipient_restrictions
>>
>>> Btw I am curious - is it possible to turn off ip verification only for
>>> clients?
>>>
>>
>> for what clients? for your customers?
>> and which kind of IP verification?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Poliman - Serwis
Thank you for answer. I have in main.cf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

so, if I understood well, I have to modify above like below:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok}, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

am I right?

Currently I am not advanced Postfix user, so I am afraid I wouldn't configure properly the cidr tables.

2018-06-12 8:54 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On 12.06.18 07:32, Poliman - Serwis wrote:
Thank you for answer. If in main.cf must be two different
check_client_access rules, so I should do:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
virtual_client.cf
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok}
or maybe
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-
virtual_client.cf, check_client_access inline:{91.218.208.22=ok}

Am I right?

Neither one. as I said before:

"But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions"

That means, you don't have to play with smtpd_client_restrictions.

Hmm, if above won't help, how to configure smtpd_recipient_restrictions to
unblock this specific ip 91.218.208.22 ?

If you want to configure smtpd_recipient_restrictions (un)block an IP, you
must put proper "check_client_access" to smtpd_recipient_restrictions,
in front of the rule that blocks that IP.

I'll keep the rest below undeleted because it still applies.

I just add that I prefer using hash or cidr tables for these cases instead
of inline access lists - it's easier to ad whitelisted IPs to those tables.


2018-06-11 16:24 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:

On 11.06.18 15:17, Poliman - Serwis wrote:

Listed on lists related with Postfix, from my main.cf:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
mysql-virtual_policy_greylist.cf


- I recommend putting reject_rbl_client zen.spamhaus.org at the end of
rules

- put check_client_access in front of reject_rbl_client, one that will
allow
  IP 91.218.208.22

@Wietse
Currently I have in main.cf:
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf


Should this line be modified as:
smtpd_client_restrictions = check_client_access inline:{91.218.208.22=ok }
mysql:/etc/postfix/mysql-virtual_client.cf
OR
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf, inline:{91.218.208.22=ok }


it's not possible to use two parameters for check_client_access
- there must be two different check_client_access rules.

But it won't help you in smtpd_client_restrictions, since the client is
rejected later in smtpd_recipient_restrictions

Btw I am curious - is it possible to turn off ip verification only for
clients?


for what clients? for your customers?
and which kind of IP verification?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Matus UHLAR - fantomas
On 12.06.18 09:10, Poliman - Serwis wrote:

>Thank you for answer. I have in main.cf:
>smtpd_recipient_restrictions = permit_mynetworks,
>permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
>zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
>mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
>mysql-virtual_policy_greylist.cf
>
>so, if I understood well, I have to modify above like below:
>smtpd_recipient_restrictions = permit_mynetworks,
>permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
>reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
>check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
>check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
>
>am I right?

yes, this should do what you want.
I'll just repeat:

- I'd use hash instead of inline

- I'd move reject_rbl_client zen.spamhaus.org at the end, and newly
added check_client_access just in front of it,
so rules in /etc/postfix/mysql-virtual_recipient.cf and
/etc/postfix/mysql-virtual_policy_greylist.cf
will be evaulated before zen.spamhaus.org is used, and they will be
evaluated even for client 91.218.208.22, which may be desired.

- you may want to evaluate those mysql rules even for sasl authenticated
clients abd clients from $mynetworks
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Poliman - Serwis
Thank you, I will check it. Yesterday night I did:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok}, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

and it worked like I want. Of course thank to your advices.

2018-06-13 12:01 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On 12.06.18 09:10, Poliman - Serwis wrote:
Thank you for answer. I have in main.cf:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
mysql-virtual_policy_greylist.cf

so, if I understood well, I have to modify above like below:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

am I right?

yes, this should do what you want.
I'll just repeat:

- I'd use hash instead of inline

- I'd move reject_rbl_client zen.spamhaus.org at the end, and newly
added check_client_access just in front of it,
so rules in /etc/postfix/mysql-virtual_recipient.cf and
/etc/postfix/mysql-virtual_policy_greylist.cf will be evaulated before zen.spamhaus.org is used, and they will be
evaluated even for client 91.218.208.22, which may be desired.

- you may want to evaluate those mysql rules even for sasl authenticated
clients abd clients from $mynetworks
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Wietse Venema
Poliman - Serwis:
> Thank you, I will check it. Yesterday night I did:
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
> reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

As in my original reply:

You MUST have the check_client_access inline:{91.218.208.22=ok} AFTER
the reject_unauth_destination, otherwise they can relay mail through
your server to arbitrary destinations.

        Wietse

> and it worked like I want. Of course thank to your advices.
>
> 2018-06-13 12:01 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
>
> > On 12.06.18 09:10, Poliman - Serwis wrote:
> >
> >> Thank you for answer. I have in main.cf:
> >> smtpd_recipient_restrictions = permit_mynetworks,
> >> permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
> >> zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
> >> mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
> >> mysql-virtual_policy_greylist.cf
> >>
> >> so, if I understood well, I have to modify above like below:
> >> smtpd_recipient_restrictions = permit_mynetworks,
> >> permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
> >> reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
> >> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> >> check_recipient_access mysql:/etc/postfix/mysql-virtu
> >> al_policy_greylist.cf
> >>
> >> am I right?
> >>
> >
> > yes, this should do what you want.
> > I'll just repeat:
> >
> > - I'd use hash instead of inline
> >
> > - I'd move reject_rbl_client zen.spamhaus.org at the end, and newly
> > added check_client_access just in front of it,
> > so rules in /etc/postfix/mysql-virtual_recipient.cf and
> > /etc/postfix/mysql-virtual_policy_greylist.cf will be evaulated before
> > zen.spamhaus.org is used, and they will be
> > evaluated even for client 91.218.208.22, which may be desired.
> >
> > - you may want to evaluate those mysql rules even for sasl authenticated
> > clients abd clients from $mynetworks
> > --
> > Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
> >
>
>
>
> --
>
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
Reply | Threaded
Open this post in threaded view
|

Re: exclude specific external IP from postfix blacklists

Poliman - Serwis
Thank you. I fixed this. I didn't suppose that you put earlier order, which must be used.

2018-06-13 16:41 GMT+02:00 Wietse Venema <[hidden email]>:
Poliman - Serwis:
> Thank you, I will check it. Yesterday night I did:
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
> reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf

As in my original reply:

You MUST have the check_client_access inline:{91.218.208.22=ok} AFTER
the reject_unauth_destination, otherwise they can relay mail through
your server to arbitrary destinations.

        Wietse

> and it worked like I want. Of course thank to your advices.
>
> 2018-06-13 12:01 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
>
> > On 12.06.18 09:10, Poliman - Serwis wrote:
> >
> >> Thank you for answer. I have in main.cf:
> >> smtpd_recipient_restrictions = permit_mynetworks,
> >> permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client
> >> zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/
> >> mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/
> >> mysql-virtual_policy_greylist.cf
> >>
> >> so, if I understood well, I have to modify above like below:
> >> smtpd_recipient_restrictions = permit_mynetworks,
> >> permit_sasl_authenticated, check_client_access inline:{91.218.208.22=ok},
> >> reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
> >> check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
> >> check_recipient_access mysql:/etc/postfix/mysql-virtu
> >> al_policy_greylist.cf
> >>
> >> am I right?
> >>
> >
> > yes, this should do what you want.
> > I'll just repeat:
> >
> > - I'd use hash instead of inline
> >
> > - I'd move reject_rbl_client zen.spamhaus.org at the end, and newly
> > added check_client_access just in front of it,
> > so rules in /etc/postfix/mysql-virtual_recipient.cf and
> > /etc/postfix/mysql-virtual_policy_greylist.cf will be evaulated before
> > zen.spamhaus.org is used, and they will be
> > evaluated even for client 91.218.208.22, which may be desired.
> >
> > - you may want to evaluate those mysql rules even for sasl authenticated
> > clients abd clients from $mynetworks
> > --
> > Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
> >
>
>
>
> --
>
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*



--
Pozdrawiam / Best Regards
Piotr Bracha