Postfix Domain Whitelisting in Combination with Sender Authentication

email postfix smtp

Solution 1:

Whenever your restriction can't be applied globally to all cases, you can use Postfix restriction classes. The idea is excluding some domains to separate restrictions.

I reorder your current configuration on following principles "lightweight checks should executed before heavy ones". So, I suggest the configuration became

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  check_sender_access hash:/etc/postfix/sender_access
  reject_rbl_client zen.spamhaus.org    
  check_policy_service unix:private/tumgreyspf

Now, postfix restriction classes should be applied via this line check_sender_access hash:/etc/postfix/sender_access. Before that define the smtpd_restriction_classes parameter in main.cf. 

smtpd_restriction_classes = whitelistdomain
whitelistdomain = 
  check_policy_service unix:private/tumgreyspf

Therefore the content of /etc/postfix/sender_access became

example.com  whitelistdomain
example.org  whitelistdomain

The logic is, postfix will apply default restrictions (permit_mynetwork, permit_sasl_authenticated, reject_unauth_destination) to all domain. Then because example.com and example.org in whitelistdomain class, postfix only performs check_policy_service unix:private/tumgreyspf. Other domains should passed default restrictions.

Now, the problem is how configure tumgreyspf to exclude those domains from greylisting.

Based on this page, here the step to exclude greylisting. Note this path is applied to Debian. Other system may have different path.

First, create a folder for every domain

mkdir -p /var/lib/tumgreyspf/config/envelope_sender/example.com/
mkdir -p /var/lib/tumgreyspf/config/envelope_sender/example.org/

Create file configuration in /etc/tumgreyspf/disablegreylist.conf

SPFSEEDONLY = 0
GREYLISTTIME = 600
CHECKERS = spf
OTHERCONFIGS =

Now, symlink it into each of the domain directory 

ln -s /etc/tumgreyspf/disablegreylist.conf /var/lib/tumgreyspf/config/envelope_sender/example.org/__default__
ln -s /etc/tumgreyspf/disablegreylist.conf  /var/lib/tumgreyspf/config/envelope_sender/example.com/__default__

More info, github page of tumgreyspf

Solution 2:

Just sort your smtpd_recipient_restrictions accordingly. This list is processed from front to back. Some filters can return a reject or nothing (blacklists, spf; either it's a malicious sender or we don't know) or a permit (SASL, Networks, if they don't match, continue)

In your case it would be:

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  check_policy_service unix:private/tumgreyspf
  check_sender_access hash:/etc/postfix/sender_access
  reject_rbl_client zen.spamhaus.org
  reject_unauth_destination

Local and authenicated senders are always allowed. For all others we check our sender_access file. If there's no match continue with blacklists, SPF and Greylisting.

Related

Xenserver 6.5 LSI MegaRAID
group policy in Windows Server 2008
How to recover a MSSQL user's password?
How do you prevent restarting machine after critial Windows updates?
How is NUMBER_OF_PROCESSORS env variable generated?
pfSense - Traffic to subnet not being routed by static route
Anyone have any experience with SQL over iSCSI on Equallogic boxes?
Will segmenting wi-fi SSIDs limit the spread of viruses, trojans and the like?
How do I redirect one port to another on a local computer using iptables?
How to configure NTLM security on Apache http server on windows?
Upgrade Apache from source if the original was installed from an rpm?
why would adding a crossover private nic cause IP address resource fail?