1

I'm using postfix helo_restrictions to blacklist some spam leaning domains. One of those is a service that provides email service to people who want email addresses with their domains, but don't want to run a mail server. I'm blocking that service in my check_helo_access file:

domainemailsvc.net REJECT No spam please.

But unfortunately a couple of people send legitimate mail through that same service. Should I just delete that line from check_helo_access and hope that spamassassin does its job or is there a way to whitelist these specific email addresses or sub-domains?

Example log file entry for a message from my friend (tom@tomsdomain.com):

Sep 16 11:27:41 myserver postfix/smtpd[19223]: NOQUEUE: reject: RCPT from
 bosmailout01.domainemailsvc.net[xx.xx.xx.xx]: 554 5.7.1
 <bosmailout01.domainemailsvc.net>: Helo command rejected: No spam please.;
 from=<FSD0=AFyHhv=3K=tomsdomain.com=tom@domainemailsvc.net>
 to=<lido@myserver.com> proto=ESMTP helo=<bosmailout01.domainemailsvc.net>

I've tried adding the following to my check_helo_access file:

tomsdomain.com OK
tom@domainemailsvc.net OK

...but that doesn't seem to work.

Lido
  • 45
  • 2
  • 8

2 Answers2

2

The EHLO/HELO SMTP command (which is what the check_helo_access stuff works on) only has a hostname as data so that's all that this particular filter can operate on. So, you can't use the check_helo_access file to allow specific senders from a hostname/domain that you're blocking with it.

You should, you want to get mail from specific users in this domain, allow it with check_helo_access.

Then you can use, if I recall, sender_access to allow specific addresses and block everything else from this domain.

A good way to think of these checks in postfix is that each one operates on a specific part of the SMTP conversation - which in turn has specific data. Domain comes into play with HELO. RCPT TO involves the local address for delivery. MAIL FROM involves the sender address. And so forth. Identify which part of the SMTP conversation you want to filter on, and then use the Postfix check that is associated with it.

malcolmpdx
  • 2,300
  • 1
  • 16
  • 12
  • Thanks. I tried that, but it looks like they have a system where the sender email address is different every time so there's no way to whitelist it unless there's a way to use patterns or wildcard characters. Here's my `sender_access` file: `tom@domainemailsvc.net OK tom@tomsdomain.com OK domainemailsvc.net REJECT` – Lido Sep 18 '14 at 16:07
  • and here's the line from the log file: `Sep 19 10:28:44 myserver postfix/smtpd[41522]: NOQUEUE: reject: RCPT from bosmailout10.domainemailsvc.net[xx.xx.xx.xx]: 554 5.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo=` – Lido Sep 18 '14 at 16:07
1

Thanks to @malcolmpdx for pointing me in the right direction. sender_access is actually how I was able to accomplish this using some basic regex:

in main.cf:

smtpd_sender_restrictions = check_sender_access pcre:/etc/postfix/sender_access

in sender_access:

/^.*=tom@domainemailsvc.net$/ OK
/^.*domainemailsvc.net$/ REJECT
Lido
  • 45
  • 2
  • 8