A site for solving at least some of your technical problems...
Skip Postgrey test with a Postfix restriction map
Submitted by Alexis Wilke on Fri, 12/23/2011 - 03:03
By default, when postfix is installed with postgrey, all the emails that are not blocked by some other means are all passed to postgrey.
What if you have a customer who doesn't want to wait forever to get his/her emails?
Well... you need to bypass postgrey (and good luck to him/her in regard to heavy spamming...)
The setup requires two additional entries as defined here:
# in main.cf smtpd_restriction_classes = permissive permissive = permit
Here we define a new class called "permissive" (which is case sensitive!) and that we will use in the restriction access file. Somehow, we cannot just use permit in the file (I tried, it doesn't work!)
# in main.cf smtpd_recipient_restrictions = ... # restrictions that always apply check_recipient_access hash:/etc/postfix/recipient_access, ... # other restrictions check_policy_service inet:127.0.0.1:10023
IMPORTANT NOTE: you'll want to reload the info if your server is live:
service postfix reload
The recipient restrictions can check the email address of a user and permit it. Permitting means everything is okay, accept that email without further checking in this list.
So, in the /etc/postfix/recipient_access you could enter something like:
# in recipient_access # Get right of stupid spammers at the source super-spammer@example.com REJECT # Accept for users who want to avoid further checks and especially the greylist check accept-now@example.com permissive
IMPORTANT NOTE: you'll also have to run the postmap command, something like this:
postmap hash:/etc/postfix/recipient_access
Notice that to use the "PERMIT" you have to use that permissive class. I'm not too sure why REJECT and OK work and not PERMIT, but at least with the class the desired effect works. Note also that it's all lowercase, you cannot declare a PERMISSIVE class and use permissive in the recipient_access file (or vice versa.)
Of course, you can have as many check_recipient_access entries each with a different filename and thus a different behavior (i.e. the super-spammer could be in a file checked before anything else, and the permissive users may be one or two before the last entry in the list.)
Note that the greylist whitelist_recipients cannot be used for that purpose because the accept-now@example.com is a virtual host and thus it isn't known/understood by greylist itself.
Note also that the recipient_access file could make use of complete domain names:
# in recipient_access example.com permissive
would accept all users at example.com.
Sources:
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
http://www.postfix.org/RESTRICTION_CLASS_README.html