Loading ...
Sorry, an error occurred while loading the content.

Re: check_client_access

Expand Messages
  • Rocco Scappatura
    Mouss, ... Very cool from you.. as usual! You have won a prize.. :-)
    Message 1 of 17 , Feb 1, 2009
    • 0 Attachment
      Mouss,

      >> [snip]
      >>
      >> :-D
      >>
      >> [snip]
      >
      > dogs ate logs?
      >

      Very cool from you.. as usual!

      You have won a prize.. :-) <-- Is it ok so? ;-)

      > - show logs that prove what you claimed

      Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
      unknown[83.103.67.197]: 550 5.1.1 <staff@...: Recipient address
      rejected: undeliverable address: host
      srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in
      reply to RCPT TO command); from=<> to=<staff@...> proto=ESMTP
      helo=<clus2.istge.it>

      > - show 'postmap -q' results (for all the keys that postfix uses. see the
      > man page of access for the lookup order).

      Cound you instruct me about the order postfix applies the restrictions
      (you can see "postconf" output in my previous email.. Thanks.)

      Anyway,

      # postmap -q staff@...
      proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      REJECT

      > you also need to make your mind: the subject contains
      > "check_client_access". your question was about "check_sender_access",

      OK. Sorry I have wrong my subject..

      > and your explanation was about a "receiver". That's 3 different things...

      So.. What I have to do to block a message based on the receiver?

      > PS. it would be safer to put your check_sender_access in
      > smtpd_sender_restrictions so that an error in your sql query doesn't
      > make you an open relay.

      Why is safer? Could have any side effect in my configuration? Thanks.

      rocsca
    • mouss
      ... depends on what the prize is :) ... so the sender is . see below. ... From http://www.postfix.org/access.5.html in the EMAIL ADDRESS PATTERNS section,
      Message 2 of 17 , Feb 1, 2009
      • 0 Attachment
        Rocco Scappatura a écrit :
        > Mouss,
        >
        >>> [snip]
        >>>
        >>> :-D
        >>>
        >>> [snip]
        >> dogs ate logs?
        >>
        >
        > Very cool from you.. as usual!
        >
        > You have won a prize.. :-) <-- Is it ok so? ;-)
        >

        depends on what the prize is :)


        >> - show logs that prove what you claimed
        >
        > Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
        > unknown[83.103.67.197]: 550 5.1.1 <staff@...: Recipient address
        > rejected: undeliverable address: host
        > srvmailvb.domain.intranet[10.36.20.100] said: 550 5.1.1 User unknown (in
        > reply to RCPT TO command); from=<> to=<staff@...> proto=ESMTP
        > helo=<clus2.istge.it>
        >

        so the sender is "<>". see below.

        >> - show 'postmap -q' results (for all the keys that postfix uses. see the
        >> man page of access for the lookup order).
        >
        > Cound you instruct me about the order postfix applies the restrictions
        > (you can see "postconf" output in my previous email.. Thanks.)
        >

        From
        http://www.postfix.org/access.5.html
        in the EMAIL ADDRESS PATTERNS section, the order is:
        user@domain
        domain.tld
        user@


        so you would do
        # postmap -q joe@... proxy:mysql:/....
        # postmap -q domain.example proxy:mysql:/....
        # postmap -q joe@ proxy:mysql:/....

        > Anyway,
        >
        > # postmap -q staff@...
        > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        > REJECT
        >
        >> you also need to make your mind: the subject contains
        >> "check_client_access". your question was about "check_sender_access",
        >
        > OK. Sorry I have wrong my subject..
        >
        >> and your explanation was about a "receiver". That's 3 different things...
        >
        > So.. What I have to do to block a message based on the receiver?
        >

        check_recipient_access.

        >> PS. it would be safer to put your check_sender_access in
        >> smtpd_sender_restrictions so that an error in your sql query doesn't
        >> make you an open relay.
        >
        > Why is safer? Could have any side effect in my configuration? Thanks.
        >

        it's ok if you don't return "OK" in your map (Annie, are you OK?). but
        one day, you'll be tired and you'll add an entry to your map...

        this is why it is generally safer to put check_*_access after
        reject_unauth_destination in smtpd_recipient_restrictions, or to put
        them in other restrictions (latter if you want them to apply to both
        inbound and outbound mail).
      • Rocco Scappatura
        Mouss, ... This is the restictions in my main.cf file: smtpd_client_restrictions = check_client_access
        Message 3 of 17 , Feb 1, 2009
        • 0 Attachment
          Mouss,

          >>> and your explanation was about a "receiver". That's 3 different
          >>> things...
          >>
          >> So.. What I have to do to block a message based on the receiver?
          >>
          >
          > check_recipient_access.
          >
          >>> PS. it would be safer to put your check_sender_access in
          >>> smtpd_sender_restrictions so that an error in your sql query doesn't
          >>> make you an open relay.
          >>
          >> Why is safer? Could have any side effect in my configuration? Thanks.
          >>
          >
          > it's ok if you don't return "OK" in your map (Annie, are you OK?). but
          > one day, you'll be tired and you'll add an entry to your map...
          >
          > this is why it is generally safer to put check_*_access after
          > reject_unauth_destination in smtpd_recipient_restrictions, or to put
          > them in other restrictions (latter if you want them to apply to both
          > inbound and outbound mail).

          This is the restictions in my main.cf file:

          smtpd_client_restrictions =
          check_client_access
          proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

          smtpd_helo_restrictions =
          smtpd_sender_restrictions =

          smtpd_recipient_restrictions =
          check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          check_recipient_access
          proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
          permit_mynetworks
          permit_sasl_authenticated
          check_policy_service inet:127.0.0.1:54000
          reject_unauth_destination
          .
          .
          .

          How do I have to modify it so that I could block an email address either
          if is the sender or one of the recipients, AND either if the message is
          incoming or outgoing?

          Maybe so (assuming that the action will never be "OK")...

          smtpd_client_restrictions =
          check_client_access
          proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf

          smtpd_helo_restrictions =
          smtpd_sender_restrictions =
          check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          check_recipient_access
          proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

          smtpd_recipient_restrictions =
          check_recipient_access
          proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
          permit_mynetworks
          permit_sasl_authenticated
          check_policy_service inet:127.0.0.1:54000
          reject_unauth_destination
          .
          .
          .

          Or you have another configuration to propose the is safer?

          rocsca
        • mouss
          ... this one is already in smtpd_sender_restrictions, so just remove it ... what s this for? it s already in smtpd_client_restrictions, so you may or may not
          Message 4 of 17 , Feb 1, 2009
          • 0 Attachment
            Rocco Scappatura a écrit :
            >
            >
            > Mouss,
            >
            >>>> and your explanation was about a "receiver". That's 3 different
            >>>> things...
            >>> So.. What I have to do to block a message based on the receiver?
            >>>
            >> check_recipient_access.
            >>
            >>>> PS. it would be safer to put your check_sender_access in
            >>>> smtpd_sender_restrictions so that an error in your sql query doesn't
            >>>> make you an open relay.
            >>> Why is safer? Could have any side effect in my configuration? Thanks.
            >>>
            >> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
            >> one day, you'll be tired and you'll add an entry to your map...
            >>
            >> this is why it is generally safer to put check_*_access after
            >> reject_unauth_destination in smtpd_recipient_restrictions, or to put
            >> them in other restrictions (latter if you want them to apply to both
            >> inbound and outbound mail).
            >
            > This is the restictions in my main.cf file:
            >
            > smtpd_client_restrictions =
            > check_client_access
            > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
            >
            > smtpd_helo_restrictions =
            > smtpd_sender_restrictions =
            >
            > smtpd_recipient_restrictions =
            > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            > check_recipient_access
            > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
            > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
            > permit_mynetworks
            > permit_sasl_authenticated
            > check_policy_service inet:127.0.0.1:54000
            > reject_unauth_destination
            > .
            > .
            > .
            >
            > How do I have to modify it so that I could block an email address either
            > if is the sender or one of the recipients, AND either if the message is
            > incoming or outgoing?
            >
            > Maybe so (assuming that the action will never be "OK")...
            >
            > smtpd_client_restrictions =
            > check_client_access
            > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
            >
            > smtpd_helo_restrictions =
            > smtpd_sender_restrictions =
            > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            > check_recipient_access
            > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
            >
            > smtpd_recipient_restrictions =
            > check_recipient_access
            > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

            this one is already in smtpd_sender_restrictions, so just remove it

            > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

            what's this for? it's already in smtpd_client_restrictions, so you may
            or may not need it here.


            > permit_mynetworks
            > permit_sasl_authenticated
            > check_policy_service inet:127.0.0.1:54000

            what's this for? you probably want to put this after
            reject_unauth_destination.

            remember: reject_unauth_destination is what prevents open relay. so
            avoid putting a lot of stuff before it, because you increase the risks.

            and reject_unauth_destination is a very safe a very cheap check, so it's
            good to have it as soon as possible.

            > reject_unauth_destination
            > .
            > .
            > .
            >
            > Or you have another configuration to propose the is safer?
            >

            see above.

            as a general "rule of thumb", put anti-spam checks (I'm talking about
            inbound spam. outbound spam is a different subject) after
            reject_unauth_destination, and put "general restrictions" (that also
            apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
          • Rocco Scappatura
            ... I can t remove it because this lookup return reject_unverified_address for the domains that I maintain but for wich I have no a list of valid recipient:
            Message 5 of 17 , Feb 1, 2009
            • 0 Attachment
              >> How do I have to modify it so that I could block an email address either
              >> if is the sender or one of the recipients, AND either if the message is
              >> incoming or outgoing?
              >>
              >> Maybe so (assuming that the action will never be "OK")...
              >>
              >> smtpd_client_restrictions =
              >> check_client_access
              >> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
              >>
              >> smtpd_helo_restrictions =
              >> smtpd_sender_restrictions =
              >> check_sender_access
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >> check_recipient_access
              >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
              >>
              >> smtpd_recipient_restrictions =
              >> check_recipient_access
              >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              >
              > this one is already in smtpd_sender_restrictions, so just remove it
              >

              I can't remove it because this lookup return "reject_unverified_address"
              for the domains that I maintain but for wich I have no a list of valid
              recipient:

              query = select restriction from domain where domain='%s'

              maybe could I put both lookups in smtpd_sender_restrictions?

              check_recipient_access
              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
              proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

              is it ok?

              >> check_client_access
              >> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
              >
              > what's this for? it's already in smtpd_client_restrictions, so you may
              > or may not need it here.

              It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
              trhough my SMTP gateway). I need it.

              >
              >> permit_mynetworks
              >> permit_sasl_authenticated
              >> check_policy_service inet:127.0.0.1:54000
              >
              > what's this for? you probably want to put this after
              > reject_unauth_destination.

              postgrey

              >
              > remember: reject_unauth_destination is what prevents open relay. so
              > avoid putting a lot of stuff before it, because you increase the risks.
              >
              > and reject_unauth_destination is a very safe a very cheap check, so it's
              > good to have it as soon as possible.
              >
              >> reject_unauth_destination
              >> .
              >> .
              >> .
              >>
              >> Or you have another configuration to propose the is safer?
              >>
              >
              > see above.
              >
              > as a general "rule of thumb", put anti-spam checks (I'm talking about
              > inbound spam. outbound spam is a different subject) after
              > reject_unauth_destination, and put "general restrictions" (that also
              > apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

              thanks,

              rocsca
            • Rocco Scappatura
              Sorry, ... I m saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
              Message 6 of 17 , Feb 1, 2009
              • 0 Attachment
                Sorry,

                >>> How do I have to modify it so that I could block an email address
                >>> either
                >>> if is the sender or one of the recipients, AND either if the message is
                >>> incoming or outgoing?
                >>>
                >>> Maybe so (assuming that the action will never be "OK")...
                >>>
                >>> smtpd_client_restrictions =
                >>> check_client_access
                >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                >>>
                >>> smtpd_helo_restrictions =
                >>> smtpd_sender_restrictions =
                >>> check_sender_access
                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                >>> check_recipient_access
                >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                >>>
                >>> smtpd_recipient_restrictions =
                >>> check_recipient_access
                >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                >>
                >> this one is already in smtpd_sender_restrictions, so just remove it
                >>
                >
                > I can't remove it because this lookup return "reject_unverified_address"
                > for the domains that I maintain but for wich I have no a list of valid
                > recipient:
                >
                > query = select restriction from domain where domain='%s'
                >
                > maybe could I put both lookups in smtpd_sender_restrictions?
                >
                > check_recipient_access
                > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

                I'm saying:

                check_recipient_access
                proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

                >
                > is it ok?
                >
                >>> check_client_access
                >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                >>
                >> what's this for? it's already in smtpd_client_restrictions, so you may
                >> or may not need it here.
                >
                > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                > trhough my SMTP gateway). I need it.
                >
                >>
                >>> permit_mynetworks
                >>> permit_sasl_authenticated
                >>> check_policy_service inet:127.0.0.1:54000
                >>
                >> what's this for? you probably want to put this after
                >> reject_unauth_destination.
                >
                > postgrey
                >
                >>
                >> remember: reject_unauth_destination is what prevents open relay. so
                >> avoid putting a lot of stuff before it, because you increase the risks.
                >>
                >> and reject_unauth_destination is a very safe a very cheap check, so it's
                >> good to have it as soon as possible.
                >>
                >>> reject_unauth_destination
                >>> .
                >>> .
                >>> .
                >>>
                >>> Or you have another configuration to propose the is safer?
                >>>
                >>
                >> see above.
                >>
                >> as a general "rule of thumb", put anti-spam checks (I'm talking about
                >> inbound spam. outbound spam is a different subject) after
                >> reject_unauth_destination, and put "general restrictions" (that also
                >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
                >
                > thanks,
                >
                > rocsca
                >
                >
              • mouss
                ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
                Message 7 of 17 , Feb 1, 2009
                • 0 Attachment
                  Rocco Scappatura a écrit :
                  >
                  > Sorry,
                  >
                  >>>> How do I have to modify it so that I could block an email address
                  >>>> either
                  >>>> if is the sender or one of the recipients, AND either if the message is
                  >>>> incoming or outgoing?
                  >>>>
                  >>>> Maybe so (assuming that the action will never be "OK")...
                  >>>>
                  >>>> smtpd_client_restrictions =
                  >>>> check_client_access
                  >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                  >>>>
                  >>>> smtpd_helo_restrictions =
                  >>>> smtpd_sender_restrictions =
                  >>>> check_sender_access
                  >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                  >>>> check_recipient_access
                  >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                  >>>>
                  >>>> smtpd_recipient_restrictions =
                  >>>> check_recipient_access
                  >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                  >>> this one is already in smtpd_sender_restrictions, so just remove it
                  >>>
                  >> I can't remove it

                  sorry, I didn't notice that it was a different map.

                  > because this lookup return "reject_unverified_address"
                  >> for the domains that I maintain but for wich I have no a list of valid
                  >> recipient:
                  >>
                  >> query = select restriction from domain where domain='%s'
                  >>
                  >> maybe could I put both lookups in smtpd_sender_restrictions?
                  >>

                  yes.

                  >> check_recipient_access
                  >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                  >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                  >
                  > I'm saying:
                  >
                  > check_recipient_access
                  > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                  > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                  >

                  check_foo_access checks only one map. so you need to do it like this:

                  check_recipient_access
                  proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                  check_recipient_access
                  proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


                  >> is it ok?
                  >>
                  >>>> check_client_access
                  >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                  >>> what's this for? it's already in smtpd_client_restrictions, so you may
                  >>> or may not need it here.
                  >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                  >> trhough my SMTP gateway). I need it.
                  >>

                  that's ok.

                  >>>> permit_mynetworks
                  >>>> permit_sasl_authenticated
                  >>>> check_policy_service inet:127.0.0.1:54000
                  >>> what's this for? you probably want to put this after
                  >>> reject_unauth_destination.
                  >> postgrey
                  >>

                  then put it at the end. no point to greylist a relay attempt.

                  >>> remember: reject_unauth_destination is what prevents open relay. so
                  >>> avoid putting a lot of stuff before it, because you increase the risks.
                  >>>
                  >>> and reject_unauth_destination is a very safe a very cheap check, so it's
                  >>> good to have it as soon as possible.
                  >>>
                  >>>> reject_unauth_destination
                  >>>> .
                  >>>> .
                  >>>> .
                  >>>>
                  >>>> Or you have another configuration to propose the is safer?
                  >>>>
                  >>> see above.
                  >>>
                  >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
                  >>> inbound spam. outbound spam is a different subject) after
                  >>> reject_unauth_destination, and put "general restrictions" (that also
                  >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
                  >> thanks,
                  >>
                  >> rocsca
                  >>
                  >>
                  >
                  >
                • Rocco Scappatura
                  Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
                  Message 8 of 17 , Feb 1, 2009
                  • 0 Attachment
                    Mouss,

                    >>>>> How do I have to modify it so that I could block an email address
                    >>>>> either
                    >>>>> if is the sender or one of the recipients, AND either if the message
                    >>>>> is
                    >>>>> incoming or outgoing?
                    >>>>>
                    >>>>> Maybe so (assuming that the action will never be "OK")...
                    >>>>>
                    >>>>> smtpd_client_restrictions =
                    >>>>> check_client_access
                    >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
                    >>>>>
                    >>>>> smtpd_helo_restrictions =
                    >>>>> smtpd_sender_restrictions =
                    >>>>> check_sender_access
                    >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                    >>>>> check_recipient_access
                    >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                    >>>>>
                    >>>>> smtpd_recipient_restrictions =
                    >>>>> check_recipient_access
                    >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                    >>>> this one is already in smtpd_sender_restrictions, so just remove it
                    >>>>
                    >>> I can't remove it
                    >
                    > sorry, I didn't notice that it was a different map.
                    >
                    >> because this lookup return "reject_unverified_address"
                    >>> for the domains that I maintain but for wich I have no a list of valid
                    >>> recipient:
                    >>>
                    >>> query = select restriction from domain where domain='%s'
                    >>>
                    >>> maybe could I put both lookups in smtpd_sender_restrictions?
                    >>>
                    >
                    > yes.
                    >
                    >>> check_recipient_access
                    >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                    >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                    >>
                    >> I'm saying:
                    >>
                    >> check_recipient_access
                    >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
                    >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                    >>
                    >
                    > check_foo_access checks only one map. so you need to do it like this:
                    >
                    > check_recipient_access
                    > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
                    > check_recipient_access
                    > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
                    >
                    >
                    >>> is it ok?
                    >>>
                    >>>>> check_client_access
                    >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
                    >>>> what's this for? it's already in smtpd_client_restrictions, so you may
                    >>>> or may not need it here.
                    >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
                    >>> trhough my SMTP gateway). I need it.
                    >>>
                    >
                    > that's ok.
                    >
                    >>>>> permit_mynetworks
                    >>>>> permit_sasl_authenticated
                    >>>>> check_policy_service inet:127.0.0.1:54000
                    >>>> what's this for? you probably want to put this after
                    >>>> reject_unauth_destination.
                    >>> postgrey
                    >>>
                    >
                    > then put it at the end. no point to greylist a relay attempt.
                    >
                    >>>> remember: reject_unauth_destination is what prevents open relay. so
                    >>>> avoid putting a lot of stuff before it, because you increase the
                    >>>> risks.
                    >>>>
                    >>>> and reject_unauth_destination is a very safe a very cheap check, so
                    >>>> it's
                    >>>> good to have it as soon as possible.
                    >>>>
                    >>>>> reject_unauth_destination
                    >>>>> .
                    >>>>> .
                    >>>>> .
                    >>>>>
                    >>>>> Or you have another configuration to propose the is safer?
                    >>>>>
                    >>>> see above.
                    >>>>
                    >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
                    >>>> inbound spam. outbound spam is a different subject) after
                    >>>> reject_unauth_destination, and put "general restrictions" (that also
                    >>>> apply to your users) in one of
                    >>>> smtpd_(client|helo|sender)_restrictions.

                    All works fine.. Annie is OK! ;-)

                    Thanks,

                    rocsca
                  • Tolga
                    Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
                    Message 9 of 17 , Jul 22, 2012
                    • 0 Attachment
                      Hi,

                      I have put line in my main.cf

                      check_client_access = cidr:/etc/postfix/sinokorea.cidr

                      I then restarted postfix, but I can't see it in postconf -n. How come?

                      For reference: my postconf -n output is:

                      [root@vps ~]# postconf -n
                      alias_database = hash:/etc/aliases
                      alias_maps = hash:/etc/aliases
                      append_dot_mydomain = no
                      biff = no
                      broken_sasl_auth_clients = yes
                      config_directory = /etc/postfix
                      html_directory = /usr/share/doc/postfix/html
                      inet_interfaces = all
                      mailbox_command = procmail -a "$EXTENSION"
                      mailbox_size_limit = 0
                      mydestination = localhost
                      myhostname = mail.bilgisayarciniz.org
                      mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
                      myorigin = /etc/mailname
                      readme_directory = /usr/share/doc/postfix
                      recipient_delimiter = +
                      relayhost =
                      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
                      smtpd_recipient_restrictions = permit_sasl_authenticated,
                      permit_mynetworks, reject_unauth_destination,
                      reject_non_fqdn_hostname, reject_non_fqdn_sender,
                      reject_non_fqdn_recipient, reject_unauth_pipelining,
                      reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
                      reject_rbl_client xbl.spamhaus.org
                      smtpd_sasl_auth_enable = yes
                      smtpd_sasl_local_domain = $myhostname
                      smtpd_sasl_path = private/auth
                      smtpd_sasl_security_options = noanonymous
                      smtpd_sasl_type = dovecot
                      virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                      virtual_gid_maps = static:5000
                      virtual_mailbox_base = /srv/vmail
                      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                      virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                      virtual_minimum_uid = 100
                      virtual_transport = virtual
                      virtual_uid_maps = static:5000

                      Regards,
                    • Wietse Venema
                      ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
                      Message 10 of 17 , Jul 22, 2012
                      • 0 Attachment
                        Tolga:
                        > Hi,
                        >
                        > I have put line in my main.cf
                        >
                        > check_client_access = cidr:/etc/postfix/sinokorea.cidr

                        In Postfix 2.9, this will result in a warning:

                        postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

                        And indeed check_client_access is not a parameter name. Instead, it
                        is used inside smtpd_recipient(etc) restrictions.

                        Wietse
                      • Tolga
                        ... Thanks Wietse :)
                        Message 11 of 17 , Jul 22, 2012
                        • 0 Attachment
                          On 07/22/2012 03:12 PM, Wietse Venema wrote:
                          > Tolga:
                          >> Hi,
                          >>
                          >> I have put line in my main.cf
                          >>
                          >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
                          > In Postfix 2.9, this will result in a warning:
                          >
                          > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
                          >
                          > And indeed check_client_access is not a parameter name. Instead, it
                          > is used inside smtpd_recipient(etc) restrictions.
                          >
                          > Wietse
                          Thanks Wietse :)
                        Your message has been successfully submitted and would be delivered to recipients shortly.