Mail Server Access

Access maps

Postfix defines a number of restrictions that look up information in access maps. An access map is a lookup table with contents that affects whether a message will be accepted. The name of the restriction controls what information is used as the lookup key. More detailed documentation can be found on the postfix website: Postfix SMTP server access table.

Access Map Files

Administrators can edit access files directly in Warden by clicking on the "Advanced" button on any of the grids under Warden -> Settings -> Mail Server Access. This makes it easy to make changes in bulk.

Check entries will be added by Warden to their respective smtpd restrictions options automatically. For example when adding an IP address to the client access grid the entry check_client_access cidr:/etc/postfix/client_access.cidr will be added to smtpd_client_restrictions in /etc/postfix/main.cf.

Postfix parameter Map type Check access entry Description
smtpd_client_restrictions CIDR check_client_access cidr:/etc/postfix/client_access.cidr Client IP addresses or CIDRs.
smtpd_helo_restrictions hash check_helo_access hash:/etc/postfix/helo_access Hostnames and parent domains to match against the host information supplied with the HELO/EHLO command.
smtpd_sender_restrictions hash check_sender_access hash:/etc/postfix/sender_access Email addresses, domains, and local parts to match against the address specified with the MAIL FROM command.
smtpd_recipient_restrictions hash check_recipient_access hash:/etc/postfix/recipient_access Email addresses, domains, and local parts to match against the address specified with the RCPT TO command.

Editing Access Maps

• When editing hash access map types directly over the command line you must use the postmap command to regenerate the database file for after making your changes.
• You do not need to use the postmap command when editing the CIDR access map /etc/postfix/client_access.cidr

// edit the hash access file saving your changes
nano /etc/postfix/helo_access

// rebuild the map database using the postmap command
postmap hash:/etc/postfix/helo_access

// reload postfix
postfix reload

Access Map Format

pattern  action  optional text

Client Access Example (/etc/postfix/client_access.cidr)

// reject access from a specific network
203.0.113.0/24 REJECT Your network is blocked for sending spam.

// Whitelist a specific mail servers IP address from smtpd_client_restrictions
203.0.113.1 OK

// Discard messages from a specific IP address
203.0.113.1 DISCARD Message was discarded.

// Redirect all messages from a specific IP address to a catch all account.
203.0.113.1 REDIRECT catchall@example.com

Recipient Access Example (/etc/postfix/recipient_access)

// whitelist these entries from reject_non_fqdn_sender restrictions (According to both RFC2821 and RFC2142 these addresses should be valid)
abuse@ OK
postmaster@ OK
webmaster@ OK

Access Map Actions

• To whitelist an entry use the OK or DUNNO action.
• To blacklist an entry use the REJECT action. Using the DISCARD action is not recommended!

Action Description
REJECT [optional text] Reject the request. You can optionally specify a short string of text to be used in the reply and with logging for this message; otherwise, Postfix uses the general reply code and text configured for the restriction.
OK Accept the request. Processing for the current rule stops. Postfix moves on to the next restriction rule.
DUNNO Stop checking entries for that key in the lookup table. Postfix moves on to the next restriction for the current rule.
DISCARD [optional text] Report a successful delivery to the client, but drop the message. You can optionally specify a short string of text to be logged; otherwise, Postfix logs a generic message.
HOLD [optional text] Place the message in the hold queue. You can optionally specify a short string of text to be logged; otherwise, Postfix logs a generic message.
BCC [user@example.com] Send one copy of the message to the specified recipient.
REDIRECT [user@example.com] Send the message to the specified address instead of the intended recipient(s).
PREPEND [header: text] Prepend the specified message header to the message.
INFO [optional text] Place an informational message in the log file with client information, helo, sender, recipient, and protocol information . You can optionally specify a short string of text to be logged; otherwise, Postfix logs a generic message.
WARN [optional text] Place a warning message in the log file. You can optionally specify a short string of text to be logged; otherwise, Postfix logs a generic message.

Related Pages