Author Topic: Postfix whitelist problem  (Read 849 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Postfix whitelist problem
« on: September 22, 2021, 03:20:35 PM »
Hello there,

My main.cf configuration is as follows. I cannot receive emails from domains and ip addresses that I have whitelisted.

Returning error:
450 4.7.25 Client host rejected: cannot find your hostname...

I guess because of reject_invalid_hostname.

Why am I getting such an error even though I have whitelisted it?
How can I do without removing the reject_invalid_hostname rule? Can someone help me? Where did I go wrong? My brain has stopped  :)


#MAIN.CF
header_checks = regexp:/etc/postfix/header_checks

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_helo_access pcre:/etc/postfix/helo_access,
  #reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_invalid_hostname,
  reject_unknown_helo_hostname

# Client restrictions
smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_client

# Sender restrictions
smtpd_sender_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_sender_access hash:/etc/postfix/sender_whitelist,
  check_sender_access pcre:/etc/postfix/reject_domains,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  #reject_unverified_sender

# Recipient restrictions
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_policy_service inet:127.0.0.1:10031,
  check_recipient_access hash:/etc/postfix/sender_whitelist,
  check_recipient_access hash:/etc/postfix/sender_blacklist,
  reject_unauth_destination,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain, 
  reject_rhsbl_helo dbl.spamhaus.org,
  reject_rhsbl_reverse_client dbl.spamhaus.org,
  reject_rhsbl_sender dbl.spamhaus.org,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client b.barracudacentral.org

# Relay restrictions
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  check_policy_service inet:127.0.0.1:10031,
  reject_unauth_destination

# Other restrictions
smtpd_delay_reject = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
enable_original_recipient = no
show_user_unknown_table_name = no



#SENDER_WHITELIST
mail.gelirler.gov.tr OK
#mail.gelirler.gov.tr ip adresi
212.133.164.130 OK
bplas.com.tr OK
bsmtp2.iletisim.yapikredi.com.tr OK
bsmtp3.iletisim.yapikredi.com.tr OK
bsmtp4.iletisim.yapikredi.com.tr OK
bsmtp5.iletisim.yapikredi.com.tr OK
bsmtp6.iletisim.yapikredi.com.tr OK
bsmtp7.iletisim.yapikredi.com.tr OK
bsmtp8.iletisim.yapikredi.com.tr OK
bsmtp9.iletisim.yapikredi.com.tr OK
#*.iletisim.yapikredi.com.tr ip adresleri
193.254.229.41 OK
193.254.229.43 OK
193.254.229.44 OK
193.254.229.45 OK
193.254.229.46 OK
193.254.229.47 OK
193.254.229.48 OK
193.254.229.49 OK



#HELO_ACCESS
/^(etebligat2-esg\.ggm\.bim)$/ OK
/^(bsmtp2\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp3\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp4\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp5\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp6\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp7\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp8\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(bsmtp9\.iletisim\.yapikredi\.com\.tr)$/ OK
/^(askcsmgapp06\.anadolusigorta\.pvt)$/ OK

# No one will use these in helo command.
/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})

# Reject who use IP address as helo.
# Correct:      [xxx.xxx.xxx.xxx]
# Incorrect:    xxx.xxx.xxx.xxx
/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1})

#
# This is the real HELO identify of these ISPs:
#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com
#   126.com     m15-78.126.com
#   163.com     m31-189.vip.163.com m13-49.163.com
#   sina.com    mail2-209.sinamail.sina.com.cn
#   gmail.com   xx-out-NNNN.google.com
/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})
/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1})

#
# Reject adsl spammers.
#
# match word `adsl` with word boundary `\b`.
/(\badsl\b)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

# bypass "[IP_ADDRESS]"
/^\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$/ OK

# Bypass HELOs used by known big ISPs which contains IP address
/\.outbound-(email|mail)\.sendgrid\.net$/ OK
/^\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.mail-(mail|campmail)\.facebook\.com$/ OK
/^outbound-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.pinterestmail\.com$/ OK
/\.outbound\.protection\.outlook\.com$/ OK
/^ec2-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\..*\.compute\.amazonaws\.com$/ OK
/^out\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.mail\.qq\.com$/ OK

# reject HELO which contains IP address
/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(\d{1,3}\.ip\.-\d{1,3}-\d{1,3}-\d{1,3}\.eu)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})
/(static-pool-[\d\.-]*\.flagman\.zp\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1})

.....
« Last Edit: September 22, 2021, 03:24:01 PM by Gani Karaoğlu »

Offline
**
Re: Postfix whitelist problem
« Reply #1 on: September 23, 2021, 03:48:51 PM »
try to remove this from your sender restrictions:

reject_non_fqdn_sender
reject_unknown_sender_domain

this should solve your problems.

Offline
*
Re: Postfix whitelist problem
« Reply #2 on: September 23, 2021, 09:42:40 PM »
Hi Painkiller88

Thank you for your reply.
I know this is the solution but I want to use both rule and filter.
In other words, if there is a match in the filter, postfix should not apply the relevant rule or vice versa. Shouldn't that be the case logically?