6

Alright. Some background. We have an anti-spam cluster trucking about 2-3 million emails per day, blocking somewhere in the range of 99% of spam email from our end users.

The underlying SMTP server is Postfix 2.2.10. The "Frontline defense" before mail gets carted off to SpamAssassin/ClamAV/ ect ect, is attached below.

...basic config....    
smtpd_recipient_restrictions =
            reject_unauth_destination,
            reject_rbl_client b.barracudacentral.org,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client bl.mailspike.net,
            check_policy_service unix:postgrey/socket
...more basic config....

As you can see, standard RBL services from various companies, as well as a Postgrey service.

The problem is, I have one client (out of thousands) who is very upset that we blocked an important email of theirs. It was sent through a russian freemailer who was currently blocked in two of our three RBL servers. I explained the situation to them, however they are insisting we do not block any of their emails.

So i need a method of whitelisting ANY email that comes to domain.com, however i need it to take place before any of the recipient restrictions, they want no RBL or postgrey blocking at all.

I've done a bit of research myself, http://www.howtoforge.com/how-to-whitelist-hosts-ip-addresses-in-postfix seemed to be a good guide at first, almost fixing my problem, But i want it to accept based on TO address, not originating server.

grufftech
  • 6,620
  • 4
  • 35
  • 37

1 Answers1

6

If you do processing based on RCPT TO address, you are going to flood this person with spam, because it will disable any further spam checks.

Your only option is to use check_sender_access.

smtpd_recipient_restrictions =
            check_client_access hash:/etc/postfix/access_sender
            reject_unauth_destination,
            reject_rbl_client b.barracudacentral.org,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client bl.mailspike.net,
            check_policy_service unix:postgrey/socket

Like so:

fromuser@domain.com      OK
domain.com               OK
fromuser@                OK

dont forget to postmap access_sender after you create it.

solefald
  • 2,303
  • 15
  • 14
  • 1
    wont "check_sender_access" result in me having to white list every domain he receives email from? The purpose IS to flood the person which spam, at least for the temporary so he can see what kinda idiot he is. – grufftech Apr 16 '10 at 18:27
  • 2
    Nope. It will just check if this particular domain is in it. If not, it will just continue to other rules. I have only 6 entires in mine, for the same reason - just to allow a spam-loving client to get his daily viagra fix :) – solefald Apr 16 '10 at 20:15
  • 9
    @solefald, You say 'check_sender_access' but then use 'check_client_access'. Perhaps you want to clarify. You may also want to clarify why you put 'check_sender_access' as a 'smtpd_recipient_restrictions' and not a 'smtpd_sender_restrictions' – d-_-b Jun 18 '13 at 05:31