mailsystem/DOC/postfix/whitelist_host_ip_address.txt

## - To whitelist a server ther a multiple possibilities
## -

## -----
## - 1.)  
## -
## - To whitelist a server (name or ip-adress) or network , create the file 
## -    /etc/postfix/rbl_override
## - where you list all IP addresses or host names 
## - (one per line!) that you want to whitelist:
## -
## - 1.2.3.4 OK
## - mail.freemailer.tld OK
## - 194.25.134/24 OK
## - ...
## -
vim /etc/postfix/rbl_override

## - After you've created/modified that file, you must run:
## -
postmap btree:/etc/postfix/rbl_override
#postmap /etc/postfix/rbl_override

## - Next open
## -    /etc/postfix/main.cf 
## - and search for the smtpd_recipient_restrictions parameter. 
## - Add check_client_access hash:/etc/postfix/rbl_override to 
## - that parameter, after reject_unauth_destination, but before 
## - the first blacklist.
## - 
## -    smtpd_recipient_restrictions =
## -       ...
## -       permit_sasl_authenticated,
## -       check_client_access btree:/etc/postfix/rbl_override,
## -       #check_client_access hash:/etc/postfix/rbl_override,
## -       reject_rbl_client zen.spamhaus.org,
## -       ...


## - Now restart postfix:
## -
/etc/init.d/postfix restart 


## ----
## - Notice:
## - there are also whitelist dns service, like list.dnswl.org
## - see: http://www.dnswl.org/
## - requesting such a service works the same as requesting a
## - blacklist server like
## - 
## - for example the server 194.25.134.17 (one mailserver from t-online)
## - is blacklisted at bl.spamcop.net. that means the request
## -
## -    chris@sol:~$ dig 17.134.25.194.bl.spamcop.net
## - 
## - results in an ANSWER SECTION like 
## -
## -    17.134.25.194.bl.spamcop.net. 2100 IN   A       127.0.0.2
## - 
## - ( or using host command:
## -      chris@sol:~$ host 17.134.25.194.bl.spamcop.net
## -      17.134.25.194.bl.spamcop.net has address 127.0.0.2 )
## -
## - in contrast to "not found: 3(NXDOMAIN)" in case of a not blacklistet one
## -
## -
## - That t-online server is also (white-)listed at the at list.dnswl.org and
## - so, the request
## -
## -    chris@sol:~$ dig 17.134.25.194.list.dnswl.org
## -
## - results in an ANSWER SECTION like:
## -
## -    17.134.25.194.list.dnswl.org. 12506 IN  A       127.0.5.0
## -
## - or rather
## -    chris@sol:~$ host 17.134.25.194.list.dnswl.org
## -    17.134.25.194.list.dnswl.org has address 127.0.5.0
## -
## - 
## -----



## -----
## - 2.)
## -
## - You can question more than one blacklist server an also whitelist server,
## - weight the single result and make a decision after getting the all-overresult
## -
## - Do so, use parameters "postscreen_dnsbl_sites and"
## - "postscreen_dnsbl_threshold". 
## -
## -
## - Example configuration:
## -
## -    postscreen_dnsbl_sites =
## -      one.blacklist.server.com*2
## -      another.blacklist.server.com
## -      third.blacklist.server.com
## -      list.dnswl.org*-3
## -    postscreen_dnsbl_threshold=1 # (the default value)
## -
## - if the requested incomming-ip-adress matches the first blacklist server,
## - you get a result of "2" (because the entry for that blacklict server is
## - weighted with 2).
## - if the requested ip-address matches the second or the third blacklist
## - server the result is each with "1"
## - if the requested ip-address matches the whitelist server, the result 
## - is "-3"
## -
## - assuming all servers matches, than the all over result is "2+1+1-3=1". 
## - because 1 is equal or grater than "1" (the value of the parameter of
## - "postscreen_dnsbl_threshold"), the concerning the concerning network
## - connection will be dropped.
## -
## - assuming the first and second blacklist server and also the whitelist
## - server matches the concerning the all over result is "2+1-3=0".
## - Because 0 is lower then 1 (the value of the parameter 
## - "postscreen_dnsbl_threshold"). the connection will be accepted (at that
## - point)
## -
## -
## - See "man postconf" or site
## - http://www.postfix.org/postconf.5.html for advanced usage
## -
## -----



## -----
## - 3.)
## -
## - you can use postfix conf parameter "permit_dnswl_client"
## - in main.cf 
## -
## - here is an example using list.dnswl.org
## - 
## -    smtpd_recipient_restrictions =
## -      ...
## -      permit_sasl_authenticated,
## -      permit_dnswl_client list.dnswl.org,
## -      reject_rbl_client someblacklist.example.com,
## -      reject_rbl_client moreblacklist.example.com,
## -      permit_mynetworks,
## -      ...
## -
## - To override only for "low", "med" and "hi" (see
## - http://www.dnswl.org/tech):
## -    
## -    smtpd_recipient_restrictions =
## -      ...
## -      permit_sasl_authenticated,
## -      permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
## -      reject_rbl_client someblacklist.example.com,
## -      permit_mynetworks,
## -      reject_unauth_destination
## -    
## -----

## - Notice:
## -
## - I have configured some white list entries  d.c.b.a.dnswl.oopen.de.
## - see file /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone on
## - a.ns.oopen.de
## -
## - i.e. to avoid blacklisting t-online servers 194.25.134.*, i added 
## - the followig entry
## -    +*.134.25.194.dnswl.oopen.de:127.0.0.2:4300
## -
## - i added also a concerning TXT record (not needed):
## -    '*.134.25.194.dnswl.oopen.de:T-Online:4300
## -
## - concernin entry in smtpd_recipient_restrictions of main.cf:
## -
## -    ...
## -    # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
## -       # Whitelist (configured on a.ns.oopen.de
## -       # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
## -       permit_dnswl_client dnswl.oopen.de,
## -       # Blacklists
## -       reject_rbl_client zen.spamhaus.org,
## -       reject_rbl_client ix.dnsbl.manitu.net,
## -    ...