How to whitelist hosts or IP addresses in Postfix

If you are administrating a mail server and use blacklists to block spam, sometimes you may have a problem with certain mail servers. This happens because a specific mail server was blacklisted. You can see that one server was blacklisted if you trace your maillog:

reject: RCPT from unknown[]: 554 5.7.1 Service unavailable; Client host [] blocked using; Blocked - see; from=<> to=<> proto=SMTP helo=<>

In this example, the mail server is blacklisted and therefore blocked (also in this case, message was spam and we won’t whitelist

To whitelist servers, we need one file (for example /etc/postfix/rbl_whitelist) where we will list all IP addresses or host names marked for whitelist.

# nano /etc/postfix/rbl_whitelist

Every line should contain only one IP address or one hostname in next format OK OK

Save file and then run:

# postmap /etc/postfix/rbl_whitelist

After you created whitelist in postfix format, open /etc/postfix/ and search for the smtpd_recipient_restrictions parameter. Add
check_client_access hash:/etc/postfix/rbl_whitelist
after reject_unauth_destination, but before the first blacklist.

Remember BEFORE the first blacklist or this won’t work.

smtpd_recipient_restrictions = reject_invalid_hostname,
                               check_client_access hash:/etc/postfix/rbl_whitelist,

The lines shown above is only example. Please check all those blacklist because some of them are not active any more….

And finally reload postfix with

# service postfix restart


# /etc/init.d/postfix restart

Remember that smtpd_recipient_restrictions section mentioned above is just for reference. Please double check this blacklists before you use them. (Some of them doesn’t work any more). Especially if you find this post 3 years after I wrote it…

5 thoughts on “How to whitelist hosts or IP addresses in Postfix

  1. > reject_rbl_client,

    This list is dead


    reject_rbl_client, only lists domains in BODY of messages. Its not supposed to be used at SMTP level. You may be blocked if you send excessive/useless queries.

  2. Are wildcards allowed at all in this format?
    e.g. * to catch several diff hosts within that domain?

  3. Hi

    You can blacklist domains, IP addresses, IP blocks or hosts via regexp.

    for example,

    # IP
    /^11\.11\.11\.11$/ REJECT blacklisted

    # IP block
    /^11\.11\.11/ REJECT blacklisted

    # domain
    /^example\.com$/ REJECT blacklisted

    # everything in a domain
    /example\.com$/ REJECT blacklisted

    # exact hosts
    /^somehost\.example\.com$/ REJECT blacklisted

    But much better option is to integrate additional protection (postgrey / amavisd-new / spamassassin / clamav)

Leave a Reply

Your email address will not be published. Required fields are marked *