Loading ...
Sorry, an error occurred while loading the content.

check_client_access

Expand Messages
  • Hans du Plooy
    Hi guys, I need to allow a few IP addresses to connect to a postfix box, and block all other IPs. Postfix on the box is not built with tcpwrappers support and
    Message 1 of 17 , Feb 2, 2007
    • 0 Attachment
      Hi guys,

      I need to allow a few IP addresses to connect to a postfix box, and block
      all other IPs. Postfix on the box is not built with tcpwrappers support
      and I cannot replace it. So I have in main.cf:

      smtpd_recipient_restrictions =
      check_client_access hash:/etc/postfix/client_checks,

      and in /etc/postfix/client_checks a list of the allowed IP addresses.

      What is the syntax to specify a "REJECT all the rest" where all IP address
      that are not explicitly allowed, gets rejected? I cannot seem to find a
      working example of this.

      Thanks
      Hans
    • Kai Fürstenberg
      ... add a reject at the end of smtpd_recipient_restrictions. Kai
      Message 2 of 17 , Feb 2, 2007
      • 0 Attachment
        Hans du Plooy wrote:
        > Hi guys,
        >
        > I need to allow a few IP addresses to connect to a postfix box, and block
        > all other IPs. Postfix on the box is not built with tcpwrappers support
        > and I cannot replace it. So I have in main.cf:
        >
        > smtpd_recipient_restrictions =
        > check_client_access hash:/etc/postfix/client_checks,
        >
        > and in /etc/postfix/client_checks a list of the allowed IP addresses.
        >
        > What is the syntax to specify a "REJECT all the rest" where all IP address
        > that are not explicitly allowed, gets rejected? I cannot seem to find a
        > working example of this.

        add a "reject" at the end of smtpd_recipient_restrictions.

        Kai
      • Rocco Scappatura
        In smtpd_recipient_restrictions I put as first line: check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf The check looks up the database
        Message 3 of 17 , Jan 31, 2009
        • 0 Attachment
          In smtpd_recipient_restrictions I put as first line:

          check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

          The check looks up the database for an address or a domain ad returns an
          action (OK, REJECT, and so on).

          Last day my server receives a lot of messages for an email address in one
          of the domain maintained by me. Say it "receiver@...". Even if the
          looks up for this email addres is succesfull and returns REJECT, all
          messages was correctly received and then delivered to the postoffice
          server.

          Why that messages was not blocked?

          What I have missed?

          thanks,

          rocsca
        • Sahil Tandon
          ... This sounds bad; you should not OK based on sender addresses which are easily spoofed. But without more information about your configuration, we can only
          Message 4 of 17 , Jan 31, 2009
          • 0 Attachment
            On Sat, 31 Jan 2009, Rocco Scappatura wrote:

            > In smtpd_recipient_restrictions I put as first line:
            >
            > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >
            > The check looks up the database for an address or a domain ad returns an
            > action (OK, REJECT, and so on).

            This sounds bad; you should not OK based on sender addresses which are easily
            spoofed. But without more information about your configuration, we can only
            guess.

            > Last day my server receives a lot of messages for an email address in one
            > of the domain maintained by me. Say it "receiver@...". Even if the
            > looks up for this email addres is succesfull and returns REJECT, all
            > messages was correctly received and then delivered to the postoffice
            > server.
            >
            > Why that messages was not blocked?
            >
            > What I have missed?

            You missed an important part of this mailing list's welcome message:

            TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

            --
            Sahil Tandon <sahil@...>
          • Rocco Scappatura
            Thanks, ... Indeed, I never use OK.. :-) ... alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s body_checks = regexp:/etc/postfix/body_checks
            Message 5 of 17 , Jan 31, 2009
            • 0 Attachment
              Thanks,

              >> In smtpd_recipient_restrictions I put as first line:
              >>
              >> check_sender_access
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>
              >> The check looks up the database for an address or a domain ad returns an
              >> action (OK, REJECT, and so on).
              >
              > This sounds bad; you should not OK based on sender addresses which are
              > easily
              > spoofed. But without more information about your configuration, we can
              > only
              > guess.

              Indeed, I never use OK.. :-)

              >> Last day my server receives a lot of messages for an email address in
              >> one
              >> of the domain maintained by me. Say it "receiver@...". Even if
              >> the
              >> looks up for this email addres is succesfull and returns REJECT, all
              >> messages was correctly received and then delivered to the postoffice
              >> server.
              >>
              >> Why that messages was not blocked?
              >>
              >> What I have missed?
              >
              > You missed an important part of this mailing list's welcome message:
              >
              > TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
              >

              :-D

              alias_maps = hash:/etc/aliases
              anvil_rate_time_unit = 60s
              body_checks = regexp:/etc/postfix/body_checks
              bounce_size_limit = 1
              broken_sasl_auth_clients = yes
              command_directory = /usr/sbin
              config_directory = /etc/postfix
              content_filter = smtp-amavis:[127.0.0.1]:10024
              daemon_directory = /usr/libexec/postfix
              debug_peer_level = 2
              default_process_limit = 150
              header_checks = regexp:/etc/postfix/header_checks
              html_directory = no
              inet_interfaces = $myhostname, localhost
              local_recipient_maps = unix:passwd.byname $alias_maps
              mail_owner = postfix
              mail_spool_directory = /var/spool/mail
              mailq_path = /usr/bin/mailq
              manpage_directory = /usr/local/man
              message_size_limit = 35840000
              minimal_backoff_time = 1800s
              mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
              mydomain = av5.sttspa.it
              myhostname = av5.sttspa.it
              mynetworks = /etc/postfix/relayzahra2
              myorigin = $mydomain
              newaliases_path = /usr/bin/newaliases
              proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
              $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
              $relay_recipient_maps $relay_domains $canonical_maps
              $sender_canonical_maps $recipient_canonical_maps $relocated_maps
              $transport_maps $mynetworks
              proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              proxy:mysql:/etc/postfix/mysql-check-client-access.cf
              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              proxy:mysql:/etc/postfix/mysql-relay-recipients.cf
              proxy:mysql:/etc/postfix/mysql-transport.cf
              proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
              queue_directory = /var/spool/postfix
              readme_directory = no
              relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf
              relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf
              sample_directory = /etc/postfix
              sendmail_path = /usr/sbin/sendmail
              setgid_group = postdrop
              smtp_connect_timeout = 10s
              smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/mta_workarounds
              smtpd_banner = $myhostname
              smtpd_client_connection_count_limit = 50
              smtpd_client_connection_rate_limit = 100
              smtpd_client_message_rate_limit = 60
              smtpd_client_recipient_rate_limit = 250
              smtpd_client_restrictions = check_client_access
              proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
              smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
              smtpd_helo_restrictions =
              smtpd_recipient_restrictions = check_sender_access
              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              check_recipient_access
              proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
              permit_mynetworks permit_sasl_authenticated
              check_policy_service inet:127.0.0.1:54000 reject_unauth_destination
              reject_non_fqdn_sender reject_non_fqdn_recipient
              reject_unlisted_sender reject_unlisted_recipient
              reject_unknown_sender_domain reject_invalid_hostname
              reject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org
              check_policy_service inet:127.0.0.1:10031
              smtpd_sasl_auth_enable = yes
              smtpd_sender_restrictions =
              strict_rfc821_envelopes = yes
              transport_maps = proxy:mysql:/etc/postfix/mysql-transport.cf
              unknown_local_recipient_reject_code = 550

              rocsca
            • mouss
              ... dogs ate logs? - show logs that prove what you claimed - show postmap -q results (for all the keys that postfix uses. see the man page of access for the
              Message 6 of 17 , Feb 1, 2009
              • 0 Attachment
                Rocco Scappatura a écrit :
                > [snip]
                >
                > :-D
                >
                > [snip]

                dogs ate logs?

                - show logs that prove what you claimed
                - show 'postmap -q' results (for all the keys that postfix uses. see the
                man page of access for the lookup order).


                you also need to make your mind: the subject contains
                "check_client_access". your question was about "check_sender_access",
                and your explanation was about a "receiver". That's 3 different things...


                PS. it would be safer to put your check_sender_access in
                smtpd_sender_restrictions so that an error in your sql query doesn't
                make you an open relay.
              • Rocco Scappatura
                Mouss, ... Very cool from you.. as usual! You have won a prize.. :-)
                Message 7 of 17 , Feb 1, 2009
                • 0 Attachment
                  Mouss,

                  >> [snip]
                  >>
                  >> :-D
                  >>
                  >> [snip]
                  >
                  > dogs ate logs?
                  >

                  Very cool from you.. as usual!

                  You have won a prize.. :-) <-- Is it ok so? ;-)

                  > - show logs that prove what you claimed

                  Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
                  unknown[83.103.67.197]: 550 5.1.1 <staff@...: Recipient address
                  rejected: undeliverable address: host
                  srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in
                  reply to RCPT TO command); from=<> to=<staff@...> proto=ESMTP
                  helo=<clus2.istge.it>

                  > - show 'postmap -q' results (for all the keys that postfix uses. see the
                  > man page of access for the lookup order).

                  Cound you instruct me about the order postfix applies the restrictions
                  (you can see "postconf" output in my previous email.. Thanks.)

                  Anyway,

                  # postmap -q staff@...
                  proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                  REJECT

                  > you also need to make your mind: the subject contains
                  > "check_client_access". your question was about "check_sender_access",

                  OK. Sorry I have wrong my subject..

                  > and your explanation was about a "receiver". That's 3 different things...

                  So.. What I have to do to block a message based on the receiver?

                  > PS. it would be safer to put your check_sender_access in
                  > smtpd_sender_restrictions so that an error in your sql query doesn't
                  > make you an open relay.

                  Why is safer? Could have any side effect in my configuration? Thanks.

                  rocsca
                • mouss
                  ... depends on what the prize is :) ... so the sender is . see below. ... From http://www.postfix.org/access.5.html in the EMAIL ADDRESS PATTERNS section,
                  Message 8 of 17 , Feb 1, 2009
                  • 0 Attachment
                    Rocco Scappatura a écrit :
                    > Mouss,
                    >
                    >>> [snip]
                    >>>
                    >>> :-D
                    >>>
                    >>> [snip]
                    >> dogs ate logs?
                    >>
                    >
                    > Very cool from you.. as usual!
                    >
                    > You have won a prize.. :-) <-- Is it ok so? ;-)
                    >

                    depends on what the prize is :)


                    >> - show logs that prove what you claimed
                    >
                    > Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
                    > unknown[83.103.67.197]: 550 5.1.1 <staff@...: Recipient address
                    > rejected: undeliverable address: host
                    > srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in
                    > reply to RCPT TO command); from=<> to=<staff@...> proto=ESMTP
                    > helo=<clus2.istge.it>
                    >

                    so the sender is "<>". see below.

                    >> - show 'postmap -q' results (for all the keys that postfix uses. see the
                    >> man page of access for the lookup order).
                    >
                    > Cound you instruct me about the order postfix applies the restrictions
                    > (you can see "postconf" output in my previous email.. Thanks.)
                    >

                    From
                    http://www.postfix.org/access.5.html
                    in the EMAIL ADDRESS PATTERNS section, the order is:
                    user@domain
                    domain.tld
                    user@


                    so you would do
                    # postmap -q joe@... proxy:mysql:/....
                    # postmap -q domain.example proxy:mysql:/....
                    # postmap -q joe@ proxy:mysql:/....

                    > Anyway,
                    >
                    > # postmap -q staff@...
                    > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                    > REJECT
                    >
                    >> you also need to make your mind: the subject contains
                    >> "check_client_access". your question was about "check_sender_access",
                    >
                    > OK. Sorry I have wrong my subject..
                    >
                    >> and your explanation was about a "receiver". That's 3 different things...
                    >
                    > So.. What I have to do to block a message based on the receiver?
                    >

                    check_recipient_access.

                    >> PS. it would be safer to put your check_sender_access in
                    >> smtpd_sender_restrictions so that an error in your sql query doesn't
                    >> make you an open relay.
                    >
                    > Why is safer? Could have any side effect in my configuration? Thanks.
                    >

                    it's ok if you don't return "OK" in your map (Annie, are you OK?). but
                    one day, you'll be tired and you'll add an entry to your map...

                    this is why it is generally safer to put check_*_access after
                    reject_unauth_destination in smtpd_recipient_restrictions, or to put
                    them in other restrictions (latter if you want them to apply to both
                    inbound and outbound mail).
                  • Rocco Scappatura
                    Mouss, ... This is the restictions in my main.cf file: smtpd_client_restrictions = check_client_access
                    Message 9 of 17 , Feb 1, 2009
                    • 0 Attachment
                      Mouss,

                      >>> and your explanation was about a "receiver". That's 3 different
                      >>> things...
                      >>
                      >> So.. What I have to do to block a message based on the receiver?
                      >>
                      >
                      > check_recipient_access.
                      >
                      >>> PS. it would be safer to put your check_sender_access in
                      >>> smtpd_sender_restrictions so that an error in your sql query doesn't
                      >>> make you an open relay.
                      >>
                      >> Why is safer? Could have any side effect in my configuration? Thanks.
                      >>
                      >
                      > it's ok if you don't return "OK" in your map (Annie, are you OK?). but
                      > one day, you'll be tired and you'll add an entry to your map...
                      >
                      > this is why it is generally safer to put check_*_access after
                      > reject_unauth_destination in smtpd_recipient_restrictions, or to put
                      > them in other restrictions (latter if you want them to apply to both
                      > inbound and outbound mail).

                      This is the restictions in my main.cf file:

                      smtpd_client_restrictions =
                      check_client_access
                      proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

                      smtpd_helo_restrictions =
                      smtpd_sender_restrictions =

                      smtpd_recipient_restrictions =
                      check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                      check_recipient_access
                      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                      check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                      permit_mynetworks
                      permit_sasl_authenticated
                      check_policy_service inet:127.0.0.1:54000
                      reject_unauth_destination
                      .
                      .
                      .

                      How do I have to modify it so that I could block an email address either
                      if is the sender or one of the recipients, AND either if the message is
                      incoming or outgoing?

                      Maybe so (assuming that the action will never be "OK")...

                      smtpd_client_restrictions =
                      check_client_access
                      proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

                      smtpd_helo_restrictions =
                      smtpd_sender_restrictions =
                      check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                      check_recipient_access
                      proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

                      smtpd_recipient_restrictions =
                      check_recipient_access
                      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                      check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                      permit_mynetworks
                      permit_sasl_authenticated
                      check_policy_service inet:127.0.0.1:54000
                      reject_unauth_destination
                      .
                      .
                      .

                      Or you have another configuration to propose the is safer?

                      rocsca
                    • mouss
                      ... this one is already in smtpd_sender_restrictions, so just remove it ... what s this for? it s already in smtpd_client_restrictions, so you may or may not
                      Message 10 of 17 , Feb 1, 2009
                      • 0 Attachment
                        Rocco Scappatura a écrit :
                        >
                        >
                        > Mouss,
                        >
                        >>>> and your explanation was about a "receiver". That's 3 different
                        >>>> things...
                        >>> So.. What I have to do to block a message based on the receiver?
                        >>>
                        >> check_recipient_access.
                        >>
                        >>>> PS. it would be safer to put your check_sender_access in
                        >>>> smtpd_sender_restrictions so that an error in your sql query doesn't
                        >>>> make you an open relay.
                        >>> Why is safer? Could have any side effect in my configuration? Thanks.
                        >>>
                        >> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
                        >> one day, you'll be tired and you'll add an entry to your map...
                        >>
                        >> this is why it is generally safer to put check_*_access after
                        >> reject_unauth_destination in smtpd_recipient_restrictions, or to put
                        >> them in other restrictions (latter if you want them to apply to both
                        >> inbound and outbound mail).
                        >
                        > This is the restictions in my main.cf file:
                        >
                        > smtpd_client_restrictions =
                        > check_client_access
                        > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                        >
                        > smtpd_helo_restrictions =
                        > smtpd_sender_restrictions =
                        >
                        > smtpd_recipient_restrictions =
                        > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                        > check_recipient_access
                        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                        > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                        > permit_mynetworks
                        > permit_sasl_authenticated
                        > check_policy_service inet:127.0.0.1:54000
                        > reject_unauth_destination
                        > .
                        > .
                        > .
                        >
                        > How do I have to modify it so that I could block an email address either
                        > if is the sender or one of the recipients, AND either if the message is
                        > incoming or outgoing?
                        >
                        > Maybe so (assuming that the action will never be "OK")...
                        >
                        > smtpd_client_restrictions =
                        > check_client_access
                        > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                        >
                        > smtpd_helo_restrictions =
                        > smtpd_sender_restrictions =
                        > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                        > check_recipient_access
                        > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                        >
                        > smtpd_recipient_restrictions =
                        > check_recipient_access
                        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

                        this one is already in smtpd_sender_restrictions, so just remove it

                        > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

                        what's this for? it's already in smtpd_client_restrictions, so you may
                        or may not need it here.


                        > permit_mynetworks
                        > permit_sasl_authenticated
                        > check_policy_service inet:127.0.0.1:54000

                        what's this for? you probably want to put this after
                        reject_unauth_destination.

                        remember: reject_unauth_destination is what prevents open relay. so
                        avoid putting a lot of stuff before it, because you increase the risks.

                        and reject_unauth_destination is a very safe a very cheap check, so it's
                        good to have it as soon as possible.

                        > reject_unauth_destination
                        > .
                        > .
                        > .
                        >
                        > Or you have another configuration to propose the is safer?
                        >

                        see above.

                        as a general "rule of thumb", put anti-spam checks (I'm talking about
                        inbound spam. outbound spam is a different subject) after
                        reject_unauth_destination, and put "general restrictions" (that also
                        apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
                      • Rocco Scappatura
                        ... I can t remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient:
                        Message 11 of 17 , Feb 1, 2009
                        • 0 Attachment
                          >> How do I have to modify it so that I could block an email address either
                          >> if is the sender or one of the recipients, AND either if the message is
                          >> incoming or outgoing?
                          >>
                          >> Maybe so (assuming that the action will never be "OK")...
                          >>
                          >> smtpd_client_restrictions =
                          >> check_client_access
                          >> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                          >>
                          >> smtpd_helo_restrictions =
                          >> smtpd_sender_restrictions =
                          >> check_sender_access
                          >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                          >> check_recipient_access
                          >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                          >>
                          >> smtpd_recipient_restrictions =
                          >> check_recipient_access
                          >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                          >
                          > this one is already in smtpd_sender_restrictions, so just remove it
                          >

                          I can't remove it because this lookup return "reject_unverified_address"
                          for the domains that I maintain but for wich I have no a list of valid
                          recipient:

                          query = select restriction from domain where domain='%s'

                          maybe could I put both lookups in smtpd_sender_restrictions?

                          check_recipient_access
                          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

                          is it ok?

                          >> check_client_access
                          >> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                          >
                          > what's this for? it's already in smtpd_client_restrictions, so you may
                          > or may not need it here.

                          It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                          trhough my SMTP gateway). I need it.

                          >
                          >> permit_mynetworks
                          >> permit_sasl_authenticated
                          >> check_policy_service inet:127.0.0.1:54000
                          >
                          > what's this for? you probably want to put this after
                          > reject_unauth_destination.

                          postgrey

                          >
                          > remember: reject_unauth_destination is what prevents open relay. so
                          > avoid putting a lot of stuff before it, because you increase the risks.
                          >
                          > and reject_unauth_destination is a very safe a very cheap check, so it's
                          > good to have it as soon as possible.
                          >
                          >> reject_unauth_destination
                          >> .
                          >> .
                          >> .
                          >>
                          >> Or you have another configuration to propose the is safer?
                          >>
                          >
                          > see above.
                          >
                          > as a general "rule of thumb", put anti-spam checks (I'm talking about
                          > inbound spam. outbound spam is a different subject) after
                          > reject_unauth_destination, and put "general restrictions" (that also
                          > apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

                          thanks,

                          rocsca
                        • Rocco Scappatura
                          Sorry, ... I m saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                          Message 12 of 17 , Feb 1, 2009
                          • 0 Attachment
                            Sorry,

                            >>> How do I have to modify it so that I could block an email address
                            >>> either
                            >>> if is the sender or one of the recipients, AND either if the message is
                            >>> incoming or outgoing?
                            >>>
                            >>> Maybe so (assuming that the action will never be "OK")...
                            >>>
                            >>> smtpd_client_restrictions =
                            >>> check_client_access
                            >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                            >>>
                            >>> smtpd_helo_restrictions =
                            >>> smtpd_sender_restrictions =
                            >>> check_sender_access
                            >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                            >>> check_recipient_access
                            >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                            >>>
                            >>> smtpd_recipient_restrictions =
                            >>> check_recipient_access
                            >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                            >>
                            >> this one is already in smtpd_sender_restrictions, so just remove it
                            >>
                            >
                            > I can't remove it because this lookup return "reject_unverified_address"
                            > for the domains that I maintain but for wich I have no a list of valid
                            > recipient:
                            >
                            > query = select restriction from domain where domain='%s'
                            >
                            > maybe could I put both lookups in smtpd_sender_restrictions?
                            >
                            > check_recipient_access
                            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

                            I'm saying:

                            check_recipient_access
                            proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                            proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

                            >
                            > is it ok?
                            >
                            >>> check_client_access
                            >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                            >>
                            >> what's this for? it's already in smtpd_client_restrictions, so you may
                            >> or may not need it here.
                            >
                            > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                            > trhough my SMTP gateway). I need it.
                            >
                            >>
                            >>> permit_mynetworks
                            >>> permit_sasl_authenticated
                            >>> check_policy_service inet:127.0.0.1:54000
                            >>
                            >> what's this for? you probably want to put this after
                            >> reject_unauth_destination.
                            >
                            > postgrey
                            >
                            >>
                            >> remember: reject_unauth_destination is what prevents open relay. so
                            >> avoid putting a lot of stuff before it, because you increase the risks.
                            >>
                            >> and reject_unauth_destination is a very safe a very cheap check, so it's
                            >> good to have it as soon as possible.
                            >>
                            >>> reject_unauth_destination
                            >>> .
                            >>> .
                            >>> .
                            >>>
                            >>> Or you have another configuration to propose the is safer?
                            >>>
                            >>
                            >> see above.
                            >>
                            >> as a general "rule of thumb", put anti-spam checks (I'm talking about
                            >> inbound spam. outbound spam is a different subject) after
                            >> reject_unauth_destination, and put "general restrictions" (that also
                            >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
                            >
                            > thanks,
                            >
                            > rocsca
                            >
                            >
                          • mouss
                            ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
                            Message 13 of 17 , Feb 1, 2009
                            • 0 Attachment
                              Rocco Scappatura a écrit :
                              >
                              > Sorry,
                              >
                              >>>> How do I have to modify it so that I could block an email address
                              >>>> either
                              >>>> if is the sender or one of the recipients, AND either if the message is
                              >>>> incoming or outgoing?
                              >>>>
                              >>>> Maybe so (assuming that the action will never be "OK")...
                              >>>>
                              >>>> smtpd_client_restrictions =
                              >>>> check_client_access
                              >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                              >>>>
                              >>>> smtpd_helo_restrictions =
                              >>>> smtpd_sender_restrictions =
                              >>>> check_sender_access
                              >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                              >>>> check_recipient_access
                              >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                              >>>>
                              >>>> smtpd_recipient_restrictions =
                              >>>> check_recipient_access
                              >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                              >>> this one is already in smtpd_sender_restrictions, so just remove it
                              >>>
                              >> I can't remove it

                              sorry, I didn't notice that it was a different map.

                              > because this lookup return "reject_unverified_address"
                              >> for the domains that I maintain but for wich I have no a list of valid
                              >> recipient:
                              >>
                              >> query = select restriction from domain where domain='%s'
                              >>
                              >> maybe could I put both lookups in smtpd_sender_restrictions?
                              >>

                              yes.

                              >> check_recipient_access
                              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                              >
                              > I'm saying:
                              >
                              > check_recipient_access
                              > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                              > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                              >

                              check_foo_access checks only one map. so you need to do it like this:

                              check_recipient_access
                              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                              check_recipient_access
                              proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


                              >> is it ok?
                              >>
                              >>>> check_client_access
                              >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                              >>> what's this for? it's already in smtpd_client_restrictions, so you may
                              >>> or may not need it here.
                              >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                              >> trhough my SMTP gateway). I need it.
                              >>

                              that's ok.

                              >>>> permit_mynetworks
                              >>>> permit_sasl_authenticated
                              >>>> check_policy_service inet:127.0.0.1:54000
                              >>> what's this for? you probably want to put this after
                              >>> reject_unauth_destination.
                              >> postgrey
                              >>

                              then put it at the end. no point to greylist a relay attempt.

                              >>> remember: reject_unauth_destination is what prevents open relay. so
                              >>> avoid putting a lot of stuff before it, because you increase the risks.
                              >>>
                              >>> and reject_unauth_destination is a very safe a very cheap check, so it's
                              >>> good to have it as soon as possible.
                              >>>
                              >>>> reject_unauth_destination
                              >>>> .
                              >>>> .
                              >>>> .
                              >>>>
                              >>>> Or you have another configuration to propose the is safer?
                              >>>>
                              >>> see above.
                              >>>
                              >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
                              >>> inbound spam. outbound spam is a different subject) after
                              >>> reject_unauth_destination, and put "general restrictions" (that also
                              >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
                              >> thanks,
                              >>
                              >> rocsca
                              >>
                              >>
                              >
                              >
                            • Rocco Scappatura
                              Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
                              Message 14 of 17 , Feb 1, 2009
                              • 0 Attachment
                                Mouss,

                                >>>>> How do I have to modify it so that I could block an email address
                                >>>>> either
                                >>>>> if is the sender or one of the recipients, AND either if the message
                                >>>>> is
                                >>>>> incoming or outgoing?
                                >>>>>
                                >>>>> Maybe so (assuming that the action will never be "OK")...
                                >>>>>
                                >>>>> smtpd_client_restrictions =
                                >>>>> check_client_access
                                >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                                >>>>>
                                >>>>> smtpd_helo_restrictions =
                                >>>>> smtpd_sender_restrictions =
                                >>>>> check_sender_access
                                >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                                >>>>> check_recipient_access
                                >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                                >>>>>
                                >>>>> smtpd_recipient_restrictions =
                                >>>>> check_recipient_access
                                >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                                >>>> this one is already in smtpd_sender_restrictions, so just remove it
                                >>>>
                                >>> I can't remove it
                                >
                                > sorry, I didn't notice that it was a different map.
                                >
                                >> because this lookup return "reject_unverified_address"
                                >>> for the domains that I maintain but for wich I have no a list of valid
                                >>> recipient:
                                >>>
                                >>> query = select restriction from domain where domain='%s'
                                >>>
                                >>> maybe could I put both lookups in smtpd_sender_restrictions?
                                >>>
                                >
                                > yes.
                                >
                                >>> check_recipient_access
                                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                                >>
                                >> I'm saying:
                                >>
                                >> check_recipient_access
                                >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                                >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                                >>
                                >
                                > check_foo_access checks only one map. so you need to do it like this:
                                >
                                > check_recipient_access
                                > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                                > check_recipient_access
                                > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                                >
                                >
                                >>> is it ok?
                                >>>
                                >>>>> check_client_access
                                >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                                >>>> what's this for? it's already in smtpd_client_restrictions, so you may
                                >>>> or may not need it here.
                                >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                                >>> trhough my SMTP gateway). I need it.
                                >>>
                                >
                                > that's ok.
                                >
                                >>>>> permit_mynetworks
                                >>>>> permit_sasl_authenticated
                                >>>>> check_policy_service inet:127.0.0.1:54000
                                >>>> what's this for? you probably want to put this after
                                >>>> reject_unauth_destination.
                                >>> postgrey
                                >>>
                                >
                                > then put it at the end. no point to greylist a relay attempt.
                                >
                                >>>> remember: reject_unauth_destination is what prevents open relay. so
                                >>>> avoid putting a lot of stuff before it, because you increase the
                                >>>> risks.
                                >>>>
                                >>>> and reject_unauth_destination is a very safe a very cheap check, so
                                >>>> it's
                                >>>> good to have it as soon as possible.
                                >>>>
                                >>>>> reject_unauth_destination
                                >>>>> .
                                >>>>> .
                                >>>>> .
                                >>>>>
                                >>>>> Or you have another configuration to propose the is safer?
                                >>>>>
                                >>>> see above.
                                >>>>
                                >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
                                >>>> inbound spam. outbound spam is a different subject) after
                                >>>> reject_unauth_destination, and put "general restrictions" (that also
                                >>>> apply to your users) in one of
                                >>>> smtpd_(client|helo|sender)_restrictions.

                                All works fine.. Annie is OK! ;-)

                                Thanks,

                                rocsca
                              • Tolga
                                Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
                                Message 15 of 17 , Jul 22, 2012
                                • 0 Attachment
                                  Hi,

                                  I have put line in my main.cf

                                  check_client_access = cidr:/etc/postfix/sinokorea.cidr

                                  I then restarted postfix, but I can't see it in postconf -n. How come?

                                  For reference: my postconf -n output is:

                                  [root@vps ~]# postconf -n
                                  alias_database = hash:/etc/aliases
                                  alias_maps = hash:/etc/aliases
                                  append_dot_mydomain = no
                                  biff = no
                                  broken_sasl_auth_clients = yes
                                  config_directory = /etc/postfix
                                  html_directory = /usr/share/doc/postfix/html
                                  inet_interfaces = all
                                  mailbox_command = procmail -a "$EXTENSION"
                                  mailbox_size_limit = 0
                                  mydestination = localhost
                                  myhostname = mail.bilgisayarciniz.org
                                  mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
                                  myorigin = /etc/mailname
                                  readme_directory = /usr/share/doc/postfix
                                  recipient_delimiter = +
                                  relayhost =
                                  smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                                  smtpd_recipient_restrictions = permit_sasl_authenticated,
                                  permit_mynetworks, reject_unauth_destination,
                                  reject_non_fqdn_hostname, reject_non_fqdn_sender,
                                  reject_non_fqdn_recipient, reject_unauth_pipelining,
                                  reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
                                  reject_rbl_client xbl.spamhaus.org
                                  smtpd_sasl_auth_enable = yes
                                  smtpd_sasl_local_domain = $myhostname
                                  smtpd_sasl_path = private/auth
                                  smtpd_sasl_security_options = noanonymous
                                  smtpd_sasl_type = dovecot
                                  virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                                  virtual_gid_maps = static:5000
                                  virtual_mailbox_base = /srv/vmail
                                  virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                                  virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                                  virtual_minimum_uid = 100
                                  virtual_transport = virtual
                                  virtual_uid_maps = static:5000

                                  Regards,
                                • Wietse Venema
                                  ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
                                  Message 16 of 17 , Jul 22, 2012
                                  • 0 Attachment
                                    Tolga:
                                    > Hi,
                                    >
                                    > I have put line in my main.cf
                                    >
                                    > check_client_access = cidr:/etc/postfix/sinokorea.cidr

                                    In Postfix 2.9, this will result in a warning:

                                    postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

                                    And indeed check_client_access is not a parameter name. Instead, it
                                    is used inside smtpd_recipient(etc) restrictions.

                                    Wietse
                                  • Tolga
                                    ... Thanks Wietse :)
                                    Message 17 of 17 , Jul 22, 2012
                                    • 0 Attachment
                                      On 07/22/2012 03:12 PM, Wietse Venema wrote:
                                      > Tolga:
                                      >> Hi,
                                      >>
                                      >> I have put line in my main.cf
                                      >>
                                      >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
                                      > In Postfix 2.9, this will result in a warning:
                                      >
                                      > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
                                      >
                                      > And indeed check_client_access is not a parameter name. Instead, it
                                      > is used inside smtpd_recipient(etc) restrictions.
                                      >
                                      > Wietse
                                      Thanks Wietse :)
                                    Your message has been successfully submitted and would be delivered to recipients shortly.