Whitelisting single Hosts, IP Addresses, and even Networks in Postfix

 

If you use any blacklists for email services, whitelisting important Hosts, single IP Addresses, and even whole networks is an essential task. By whitelisting valuables email services to your users or even customers, you as admin won’t reject important email communication.

Blacklisting in Postfix

If you use any blacklist service or has your blacklist in your Postfix setup, you will probably find similar logs:

root@server $ grep "blocked using" /var/log/mail.log
Dec 17 4:07:18 server postfix/smtpd[21213]: NOQUEUE: reject: RCPT from
unknown[1.2.3.4]: 554 5.7.1 Service unavailable; Client host [1.2.3.4]
blocked using ix.dnsbl.manitu.net; Blocked - see http://www.dnsbl.manitu.net/lookup.php?value=1.2.3.4;
from=<x0h0ihbxazf@somedomain.example> to=<cp57ouwn7zm9@mydomain.example> proto=ESMTP helo=<[1.2.3.4]>

As you can see in this example, IP Address 1.2.3.4 was blacklisted by a third-party service.

If you check your Postfix configuration file main.cf you will find something like:

...
smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               reject_rbl_client ix.dnsbl.manitu.net,
                               permit
...

Your config will look different, but the thing we are looking for is reject_rbl_client ix.dnsbl.manitu.net. It tells Postfix to reject any clients listed on ix.dnsbl.manitu.net blacklist.

Hint: If you want to build your blacklist, check: Blacklisting Single Hosts, IP Addresses, and even Networks in Postfix.

Whitelisting Hosts, IP Addresses, and Networks

To whitelist some hosts, IP addresses, or even whole networks in Postfix, we need to provide a file that may look like this:

root@server $ cat /etc/postfix/rbl_allow
mail.domain.example OK
1.2.3.4 OK
1.2.4.0/24 OK

Notice: The filename rbl_allow is your choice. You can take any name like rbl_override, rbl_whitelist, or whatever name you like.

After you have created or updated this file, you need to generate a Hash table Postfix will use by running the postmap command:

root@server $ postmap /etc/postfix/rbl_allow

Postfix 2.x should generate a corresponding /etc/postfix/rbl_allow.db file.

Now you need to tell Postfix where and how to use this generated hash in your setup.

Allow listed clients in Postfix

Now the most crucial part of this setup is to add this entry before any blacklist is hit. This way, we skip hitting any following rules in our Postfix setup.

...
smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_client_access hash:/etc/postfix/rbl_allow,
                               reject_rbl_client ix.dnsbl.manitu.net,
                               permit
...

By adding check_client_access hash:/etc/postfix/rbl_allow above the first blacklist entry reject_rbl_client … you whitelist email servers, which may be blacklisted by any following service, but will never be hit by this configuration.

The last step is to restart Postfix to reflect the changes.

root@server $ service postfix restart

Updating your Whitelist

If you change your whitelist file, don’t forget to regenerate your Hash table with postmap command and restart Postfix to reflect changes:

root@server $ service postfix restart
root@server $ postmap /etc/postfix/rbl_allow

Summary

Whitelisting crucial email servers is an essential part of email admins' work. These can be freemail services or specialized email services like Sendgrid. By whitelisting them, you prevent them from being hit by a blacklist and improve email deliverability.



Tags