Can't you do the same thing (to solve your unstated problem, which I
assume might be to avoid delays with after-220 tests) with DNSWL and
postscreen_dnsbl_whitelist_threshold?

Most large-scale legitimate senders are listed in list.dnswl.org.
Those which are not listed are usually small enough to retry from the
same IP address, so the delays won't be much.

If you're looking into Postscreen whitelisting, you might consider
including Postwhite in your solution:

http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/

It helps you whitelist trusted senders' known SMTP IP addresses based on
their published SPF records. You can choose which mailers to whitelist and
add easily your own.

SteveJ

This is a CIDR based access list and you have to know the IP but Gmail for example changes often so something like ".google.com accept” or “.hotmail.com reject” would make life much much easier.

Postwhite handles CIDR and individual IP addresses, and formats them
properly for Postscreen.
You're right -- Gmail (and others) change their IP addresses often... so
I'm going to guess you didn't make it to the part of the article that says
"I also recommend creating a cron job to refresh your whitelist with
updated queries every week." Actually, Postwhite is lightweight enough to
be run daily (or even multiple times per day) to update your Postscreen
whitelist, if you're concerned with super-freshness.

If the blog post was too much reading, just skip right to the GitHub
project for it: https://github.com/stevejenkins/postwhite

What you're asking for doesn't exist currently in Postscreen, and it's not
likely it will any time soon (if ever). Your best approach is to combine
dnswl whitelisting with Postwhite. It's literally a 5 minute job that will
"make life much much easier." :)

SteveJ

Also... you don't need to know the IP. Postwhite looks it (them) up for you
based on domain name and stuffs them into a Postscreen-friendly whitelist.
It's literally the entire raison d'etre for the script. :)

I am already doing this but I would personally much rather have the
choice of a domain white/black listing as it is a much cleaner solution
even for smaller and unlisted domains with the extra delay cost of a
single reverse lookup of course, if that is the problem.

The DNSW/BL only covers single IP access and not a whole domain. A
reverse lookup would cover both white and black listing of whole domains
of anyone’s choice and make life easier/harder dealing with smaller email
communities.

I have already explained at length why postscreen will not query
DNS domains other than the few DNSB/WLs that are configured by the
Postfix system administrator.

Wietse

Hi, Lefteris. Wietse has reiterated that Postscreen is not designed to do
DNS queries (beyond DNSB/WLs). His is the final word on the subject. :)

I had a few extra minutes this morning, so I updated Postwhite to
optionally allow blacklisting. It's not enabled by default, and I added a
warning in the README about the dangers of manual blacklisting. But it's
the closest you're going to get to building whitelists and blacklists for
Postscreen based on hostnames:

https://github.com/stevejenkins/postwhite

Good luck!

SteveJ

can blacklist be saved to seperate cidr file ?, so order of
blacklist/whitelist is user choices ? :=)

postfix have always being first match wins

You could generate the file with good old cat from multiple sources.

cat f1 f2 f3 >postscreen_access.tmp && mv postscreen_access.tmp postscreen_access

Wietse

Yes, the black list is saved as a separate file for that very reason. Then
just make sure the whitelist is first:

postscreen_access_list = permit_mynetworks,
...
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_spf_blacklist.cidr,
...

Presto! :)

SteveJ

No doubt about this one, of course and it is! :)
Thank you Steve I will give it a shot and see how it works out.