Home // Postfix Guides // Exceptions

Exceptions

EXCEPTIONS
The first question that you probably have is how to whitelist some addresses for header and body checks. At present (December 2003), the checks files are referenced as part of the cleanup process, and there’s no simple way to whitelist. This guide will focus on adding exceptions for any of the smtpd restrictions (such as an RBL or other access like check).

The first thing you should do is read up on the Restriction Classes Guide, as we will be using restriction classes to create our exceptions.

All of the information in this guide will be based on all of the smtpd restrictions being placed in the smtpd_recipient_restrictions section, and on the following sample information:

smtpd_recipient_restrictions =

permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
# reject_non_fqdn_hostname,
# reject_unknown_hostname,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_multi_recipient_bounce,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,

check_client_access hash:/etc/postfix/maps/exceptions_client,
reject_unverified_sender,
reject_unverified_recipient,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rhsbl_client rhsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org

Note how the above are separated into two sections. On the top are the entries that should be standard under most circumstances. On the bottom are the entries that either use excessive bandwidth, or could contain entries for IP addresses and senders that you might want to receive, even though the RBL or RHSBL has them blacklisted.

EXCEPTIONS_RECIPIENTS
The first thing to do is add a restriction class for the recipient checks that will be used by the client checks. In order to prevent your system from being an open relay, you will have to check both IP addresses and recipient names in the same check, otherwise giving an OK to a client could allow that client to send email anywhere.

  1. In your main.cf, you will first have to define a restriction class. You will do so by adding the following:
    smtpd_restriction_classes = verify_exceptions_recipients
  2. Next, it will be necessary to specify what “verify_exceptions_recipients” means. You will do so by adding the following:
    verify_exceptions_recipients =

    check_recipient_access hash:/etc/postfix/maps/exceptions_recipients,
    check_client_access regexp:/etc/postfix/maps/text_exceptions

  3. Create the file /etc/postfix/maps/exceptions_recipients with a listing of the addresses that should be able to receive email. You can use individual addresses, or entire domains, followed by an OK as in this example:

    user@localdomain1.com OK
    recipient_domain2.com OK

  4. Create the file /etc/postfix/maps/text_exceptions with the following contents:

    /./ 554 You or your server has been blacklisted. Please contact abuse@localdomain.com from a non-blasklisted server or account.

    NOTE: By adding this entry, any other emails coming from a client listed in EXCEPTIONS_CLIENTS (see below) that does not have a recipient listed in this file will be rejected. Also remember to replace abuse@localdomain.com with the appropriate contact information for your domain.

EXCEPTIONS_CLIENTS
Th exceptions_clients list will be a simple file with a table of client IP addresses, and an entry for them to be looked up in the EXCEPTION_RECIPIENTS list.

  1. Create a file /etc/postfix/maps/exceptions_clients with a list of client IP address, followed by the name of our restriction class verify_exceptions_recipients as in the following example:

    # Server Name / IP Address / Supposed Sender
    # md2.vsnl.net.in / 202.54.6.20 / specific_user@md2.vsnl.net.in
    202.54.6.20 verify_exceptions_recipients

    Remember to comment this as much as possible in order to help you remember why you add entries here. Now, whenever an email comes in from 202.54.6.20, it will be checked against the recipients table, and if it is destined locally to an authorized user, it will bypass all of the RBL and RHSBL checks.

Leave a Reply

Your email address will not be published. Required fields are marked *