Loading ...
Sorry, an error occurred while loading the content.

249015Re: check_client_access

Expand Messages
  • Rocco Scappatura
    Feb 1, 2009
      Mouss,

      >>>>> How do I have to modify it so that I could block an email address
      >>>>> either
      >>>>> if is the sender or one of the recipients, AND either if the message
      >>>>> is
      >>>>> incoming or outgoing?
      >>>>>
      >>>>> Maybe so (assuming that the action will never be "OK")...
      >>>>>
      >>>>> smtpd_client_restrictions =
      >>>>> check_client_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >>>>>
      >>>>> smtpd_helo_restrictions =
      >>>>> smtpd_sender_restrictions =
      >>>>> check_sender_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>>> check_recipient_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>>>
      >>>>> smtpd_recipient_restrictions =
      >>>>> check_recipient_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>>> this one is already in smtpd_sender_restrictions, so just remove it
      >>>>
      >>> I can't remove it
      >
      > sorry, I didn't notice that it was a different map.
      >
      >> because this lookup return "reject_unverified_address"
      >>> for the domains that I maintain but for wich I have no a list of valid
      >>> recipient:
      >>>
      >>> query = select restriction from domain where domain='%s'
      >>>
      >>> maybe could I put both lookups in smtpd_sender_restrictions?
      >>>
      >
      > yes.
      >
      >>> check_recipient_access
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>
      >> I'm saying:
      >>
      >> check_recipient_access
      >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>
      >
      > check_foo_access checks only one map. so you need to do it like this:
      >
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >
      >
      >>> is it ok?
      >>>
      >>>>> check_client_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      >>>> what's this for? it's already in smtpd_client_restrictions, so you may
      >>>> or may not need it here.
      >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
      >>> trhough my SMTP gateway). I need it.
      >>>
      >
      > that's ok.
      >
      >>>>> permit_mynetworks
      >>>>> permit_sasl_authenticated
      >>>>> check_policy_service inet:127.0.0.1:54000
      >>>> what's this for? you probably want to put this after
      >>>> reject_unauth_destination.
      >>> postgrey
      >>>
      >
      > then put it at the end. no point to greylist a relay attempt.
      >
      >>>> remember: reject_unauth_destination is what prevents open relay. so
      >>>> avoid putting a lot of stuff before it, because you increase the
      >>>> risks.
      >>>>
      >>>> and reject_unauth_destination is a very safe a very cheap check, so
      >>>> it's
      >>>> good to have it as soon as possible.
      >>>>
      >>>>> reject_unauth_destination
      >>>>> .
      >>>>> .
      >>>>> .
      >>>>>
      >>>>> Or you have another configuration to propose the is safer?
      >>>>>
      >>>> see above.
      >>>>
      >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
      >>>> inbound spam. outbound spam is a different subject) after
      >>>> reject_unauth_destination, and put "general restrictions" (that also
      >>>> apply to your users) in one of
      >>>> smtpd_(client|helo|sender)_restrictions.

      All works fine.. Annie is OK! ;-)

      Thanks,

      rocsca
    • Show all 17 messages in this topic