How to whitelist hosts or IP addresses in Postfix

If you are administrating a mail server and use blacklists to block spam, sometimes you may have a problem with certain mail servers. This happens because a specific mail server was blacklisted. You can see that one server was blacklisted if you trace your maillog:

reject: RCPT from unknown[196.206.244.208]: 554 5.7.1 Service unavailable; Client host [196.206.244.208] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.206.244.208; from=<laya@mymail.com> to=<laya@mymail.com> proto=SMTP helo=<aimp.org>

In this example, the mail server 196.206.244.208 is blacklisted and therefore blocked (also in this case, message was spam and we won’t whitelist 196.206.244.208).

To whitelist servers, we need one file (for example /etc/postfix/rbl_whitelist) where we will list all IP addresses or host names marked for whitelist.

# nano /etc/postfix/rbl_whitelist

Every line should contain only one IP address or one hostname in next format

196.196.196.196 OK
mail.mymail.com OK

Save file and then run:

# postmap /etc/postfix/rbl_whitelist

After you created whitelist in postfix format, open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add
check_client_access hash:/etc/postfix/rbl_whitelist
after reject_unauth_destination, but before the first blacklist.

Remember BEFORE the first blacklist or this won’t work.

smtpd_recipient_restrictions = reject_invalid_hostname,
                               reject_unauth_pipelining,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_client_access hash:/etc/postfix/rbl_whitelist,
                               reject_rbl_client dsn.rfc-ignorant.org,
                               reject_rbl_client dul.dnsbl.sorbs.net,
                               reject_rbl_client sbl-xbl.spamhaus.org,
                               reject_rbl_client bl.spamcop.net,
                               permit

The lines shown above is only example. Please check all those blacklist because some of them are not active any more….

And finally reload postfix with

# service postfix restart

or

# /etc/init.d/postfix restart

Edit
Remember that smtpd_recipient_restrictions section mentioned above is just for reference. Please double check this blacklists before you use them. (Some of them doesn’t work any more). Especially if you find this post 3 years after I wrote it…

5 thoughts on “How to whitelist hosts or IP addresses in Postfix”

  1. > reject_rbl_client list.dsbl.org,

    This list is dead

    ___

    reject_rbl_client multi.uribl.com,

    URIBL.com only lists domains in BODY of messages. Its not supposed to be used at SMTP level. You may be blocked if you send excessive/useless queries.

  2. Are wildcards allowed at all in this format?
    e.g. *.spam.com to catch several diff hosts within that domain?
    Thanks

  3. Hi

    You can blacklist domains, IP addresses, IP blocks or hosts via regexp.

    for example,

    # IP
    /^11\.11\.11\.11$/ REJECT blacklisted

    # IP block
    /^11\.11\.11/ REJECT blacklisted

    # domain
    /^example\.com$/ REJECT blacklisted

    # everything in a domain
    /example\.com$/ REJECT blacklisted

    # exact hosts
    /^somehost\.example\.com$/ REJECT blacklisted

    But much better option is to integrate additional protection (postgrey / amavisd-new / spamassassin / clamav)

Leave a Reply

Your email address will not be published. Required fields are marked *