If you are administrating a mail server and use blacklists to block spam, sometimes you may have a problem with certain mail servers. This happens because a specific mail server was blacklisted. You can see that one server was blacklisted if you trace your maillog:
reject: RCPT from unknown[18.104.22.168]: 554 5.7.1 Service unavailable; Client host [22.214.171.124] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?126.96.36.199; from=<firstname.lastname@example.org> to=<email@example.com> proto=SMTP helo=<aimp.org>
In this example, the mail server 188.8.131.52 is blacklisted and therefore blocked (also in this case, message was spam and we won’t whitelist 184.108.40.206).
To whitelist servers, we need one file (for example /etc/postfix/rbl_whitelist) where we will list all IP addresses or host names marked for whitelist.
# nano /etc/postfix/rbl_whitelist
Every line should contain only one IP address or one hostname in next format
220.127.116.11 OK mail.mymail.com OK
Save file and then run:
# postmap /etc/postfix/rbl_whitelist
After you created whitelist in postfix format, open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions parameter. Add
after reject_unauth_destination, but before the first blacklist.
Remember BEFORE the first blacklist or this won’t work.
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_whitelist, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
The lines shown above is only example. Please check all those blacklist because some of them are not active any more….
And finally reload postfix with
# service postfix restart
# /etc/init.d/postfix restart
Remember that smtpd_recipient_restrictions section mentioned above is just for reference. Please double check this blacklists before you use them. (Some of them doesn’t work any more). Especially if you find this post 3 years after I wrote it…
6 thoughts on “How to whitelist hosts or IP addresses in Postfix”
> reject_rbl_client list.dsbl.org,
This list is dead
URIBL.com only lists domains in BODY of messages. Its not supposed to be used at SMTP level. You may be blocked if you send excessive/useless queries.
Are wildcards allowed at all in this format?
e.g. *.spam.com to catch several diff hosts within that domain?
You can blacklist domains, IP addresses, IP blocks or hosts via regexp.
/^11\.11\.11\.11$/ REJECT blacklisted
# IP block
/^11\.11\.11/ REJECT blacklisted
/^example\.com$/ REJECT blacklisted
# everything in a domain
/example\.com$/ REJECT blacklisted
# exact hosts
/^somehost\.example\.com$/ REJECT blacklisted
But much better option is to integrate additional protection (postgrey / amavisd-new / spamassassin / clamav)
Perfect – I had my regex stuff wrong – fixed up my whitelist.
Or even eleven years!
Thanks nevertheless; getting an up-to-date RBL is much easier than figuring out Postfix options, so your article is still pertinent today 😉