Loading ...
Sorry, an error occurred while loading the content.

Re: check_client_access

Expand Messages
  • Rocco Scappatura
    Sorry, ... I m saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
    Message 1 of 17 , Feb 1, 2009
    • 0 Attachment
      Sorry,

      >>> How do I have to modify it so that I could block an email address
      >>> either
      >>> if is the sender or one of the recipients, AND either if the message is
      >>> incoming or outgoing?
      >>>
      >>> Maybe so (assuming that the action will never be "OK")...
      >>>
      >>> smtpd_client_restrictions =
      >>> check_client_access
      >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >>>
      >>> smtpd_helo_restrictions =
      >>> smtpd_sender_restrictions =
      >>> check_sender_access
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>> check_recipient_access
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>
      >>> smtpd_recipient_restrictions =
      >>> check_recipient_access
      >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>
      >> this one is already in smtpd_sender_restrictions, so just remove it
      >>
      >
      > I can't remove it because this lookup return "reject_unverified_address"
      > for the domains that I maintain but for wich I have no a list of valid
      > recipient:
      >
      > query = select restriction from domain where domain='%s'
      >
      > maybe could I put both lookups in smtpd_sender_restrictions?
      >
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

      I'm saying:

      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

      >
      > is it ok?
      >
      >>> check_client_access
      >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      >>
      >> what's this for? it's already in smtpd_client_restrictions, so you may
      >> or may not need it here.
      >
      > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
      > trhough my SMTP gateway). I need it.
      >
      >>
      >>> permit_mynetworks
      >>> permit_sasl_authenticated
      >>> check_policy_service inet:127.0.0.1:54000
      >>
      >> what's this for? you probably want to put this after
      >> reject_unauth_destination.
      >
      > postgrey
      >
      >>
      >> remember: reject_unauth_destination is what prevents open relay. so
      >> avoid putting a lot of stuff before it, because you increase the risks.
      >>
      >> and reject_unauth_destination is a very safe a very cheap check, so it's
      >> good to have it as soon as possible.
      >>
      >>> reject_unauth_destination
      >>> .
      >>> .
      >>> .
      >>>
      >>> Or you have another configuration to propose the is safer?
      >>>
      >>
      >> see above.
      >>
      >> as a general "rule of thumb", put anti-spam checks (I'm talking about
      >> inbound spam. outbound spam is a different subject) after
      >> reject_unauth_destination, and put "general restrictions" (that also
      >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
      >
      > thanks,
      >
      > rocsca
      >
      >
    • mouss
      ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
      Message 2 of 17 , Feb 1, 2009
      • 0 Attachment
        Rocco Scappatura a écrit :
        >
        > Sorry,
        >
        >>>> How do I have to modify it so that I could block an email address
        >>>> either
        >>>> if is the sender or one of the recipients, AND either if the message is
        >>>> incoming or outgoing?
        >>>>
        >>>> Maybe so (assuming that the action will never be "OK")...
        >>>>
        >>>> smtpd_client_restrictions =
        >>>> check_client_access
        >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
        >>>>
        >>>> smtpd_helo_restrictions =
        >>>> smtpd_sender_restrictions =
        >>>> check_sender_access
        >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>>> check_recipient_access
        >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>>>
        >>>> smtpd_recipient_restrictions =
        >>>> check_recipient_access
        >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >>> this one is already in smtpd_sender_restrictions, so just remove it
        >>>
        >> I can't remove it

        sorry, I didn't notice that it was a different map.

        > because this lookup return "reject_unverified_address"
        >> for the domains that I maintain but for wich I have no a list of valid
        >> recipient:
        >>
        >> query = select restriction from domain where domain='%s'
        >>
        >> maybe could I put both lookups in smtpd_sender_restrictions?
        >>

        yes.

        >> check_recipient_access
        >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
        >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >
        > I'm saying:
        >
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >

        check_foo_access checks only one map. so you need to do it like this:

        check_recipient_access
        proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        check_recipient_access
        proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


        >> is it ok?
        >>
        >>>> check_client_access
        >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
        >>> what's this for? it's already in smtpd_client_restrictions, so you may
        >>> or may not need it here.
        >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
        >> trhough my SMTP gateway). I need it.
        >>

        that's ok.

        >>>> permit_mynetworks
        >>>> permit_sasl_authenticated
        >>>> check_policy_service inet:127.0.0.1:54000
        >>> what's this for? you probably want to put this after
        >>> reject_unauth_destination.
        >> postgrey
        >>

        then put it at the end. no point to greylist a relay attempt.

        >>> remember: reject_unauth_destination is what prevents open relay. so
        >>> avoid putting a lot of stuff before it, because you increase the risks.
        >>>
        >>> and reject_unauth_destination is a very safe a very cheap check, so it's
        >>> good to have it as soon as possible.
        >>>
        >>>> reject_unauth_destination
        >>>> .
        >>>> .
        >>>> .
        >>>>
        >>>> Or you have another configuration to propose the is safer?
        >>>>
        >>> see above.
        >>>
        >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
        >>> inbound spam. outbound spam is a different subject) after
        >>> reject_unauth_destination, and put "general restrictions" (that also
        >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
        >> thanks,
        >>
        >> rocsca
        >>
        >>
        >
        >
      • Rocco Scappatura
        Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
        Message 3 of 17 , Feb 1, 2009
        • 0 Attachment
          Mouss,

          >>>>> How do I have to modify it so that I could block an email address
          >>>>> either
          >>>>> if is the sender or one of the recipients, AND either if the message
          >>>>> is
          >>>>> incoming or outgoing?
          >>>>>
          >>>>> Maybe so (assuming that the action will never be "OK")...
          >>>>>
          >>>>> smtpd_client_restrictions =
          >>>>> check_client_access
          >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
          >>>>>
          >>>>> smtpd_helo_restrictions =
          >>>>> smtpd_sender_restrictions =
          >>>>> check_sender_access
          >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>>>> check_recipient_access
          >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>>>>
          >>>>> smtpd_recipient_restrictions =
          >>>>> check_recipient_access
          >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          >>>> this one is already in smtpd_sender_restrictions, so just remove it
          >>>>
          >>> I can't remove it
          >
          > sorry, I didn't notice that it was a different map.
          >
          >> because this lookup return "reject_unverified_address"
          >>> for the domains that I maintain but for wich I have no a list of valid
          >>> recipient:
          >>>
          >>> query = select restriction from domain where domain='%s'
          >>>
          >>> maybe could I put both lookups in smtpd_sender_restrictions?
          >>>
          >
          > yes.
          >
          >>> check_recipient_access
          >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
          >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          >>
          >> I'm saying:
          >>
          >> check_recipient_access
          >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
          >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          >>
          >
          > check_foo_access checks only one map. so you need to do it like this:
          >
          > check_recipient_access
          > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
          > check_recipient_access
          > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
          >
          >
          >>> is it ok?
          >>>
          >>>>> check_client_access
          >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
          >>>> what's this for? it's already in smtpd_client_restrictions, so you may
          >>>> or may not need it here.
          >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
          >>> trhough my SMTP gateway). I need it.
          >>>
          >
          > that's ok.
          >
          >>>>> permit_mynetworks
          >>>>> permit_sasl_authenticated
          >>>>> check_policy_service inet:127.0.0.1:54000
          >>>> what's this for? you probably want to put this after
          >>>> reject_unauth_destination.
          >>> postgrey
          >>>
          >
          > then put it at the end. no point to greylist a relay attempt.
          >
          >>>> remember: reject_unauth_destination is what prevents open relay. so
          >>>> avoid putting a lot of stuff before it, because you increase the
          >>>> risks.
          >>>>
          >>>> and reject_unauth_destination is a very safe a very cheap check, so
          >>>> it's
          >>>> good to have it as soon as possible.
          >>>>
          >>>>> reject_unauth_destination
          >>>>> .
          >>>>> .
          >>>>> .
          >>>>>
          >>>>> Or you have another configuration to propose the is safer?
          >>>>>
          >>>> see above.
          >>>>
          >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
          >>>> inbound spam. outbound spam is a different subject) after
          >>>> reject_unauth_destination, and put "general restrictions" (that also
          >>>> apply to your users) in one of
          >>>> smtpd_(client|helo|sender)_restrictions.

          All works fine.. Annie is OK! ;-)

          Thanks,

          rocsca
        • Tolga
          Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
          Message 4 of 17 , Jul 22, 2012
          • 0 Attachment
            Hi,

            I have put line in my main.cf

            check_client_access = cidr:/etc/postfix/sinokorea.cidr

            I then restarted postfix, but I can't see it in postconf -n. How come?

            For reference: my postconf -n output is:

            [root@vps ~]# postconf -n
            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            append_dot_mydomain = no
            biff = no
            broken_sasl_auth_clients = yes
            config_directory = /etc/postfix
            html_directory = /usr/share/doc/postfix/html
            inet_interfaces = all
            mailbox_command = procmail -a "$EXTENSION"
            mailbox_size_limit = 0
            mydestination = localhost
            myhostname = mail.bilgisayarciniz.org
            mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
            myorigin = /etc/mailname
            readme_directory = /usr/share/doc/postfix
            recipient_delimiter = +
            relayhost =
            smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
            smtpd_recipient_restrictions = permit_sasl_authenticated,
            permit_mynetworks, reject_unauth_destination,
            reject_non_fqdn_hostname, reject_non_fqdn_sender,
            reject_non_fqdn_recipient, reject_unauth_pipelining,
            reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
            reject_rbl_client xbl.spamhaus.org
            smtpd_sasl_auth_enable = yes
            smtpd_sasl_local_domain = $myhostname
            smtpd_sasl_path = private/auth
            smtpd_sasl_security_options = noanonymous
            smtpd_sasl_type = dovecot
            virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
            virtual_gid_maps = static:5000
            virtual_mailbox_base = /srv/vmail
            virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
            virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            virtual_minimum_uid = 100
            virtual_transport = virtual
            virtual_uid_maps = static:5000

            Regards,
          • Wietse Venema
            ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
            Message 5 of 17 , Jul 22, 2012
            • 0 Attachment
              Tolga:
              > Hi,
              >
              > I have put line in my main.cf
              >
              > check_client_access = cidr:/etc/postfix/sinokorea.cidr

              In Postfix 2.9, this will result in a warning:

              postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

              And indeed check_client_access is not a parameter name. Instead, it
              is used inside smtpd_recipient(etc) restrictions.

              Wietse
            • Tolga
              ... Thanks Wietse :)
              Message 6 of 17 , Jul 22, 2012
              • 0 Attachment
                On 07/22/2012 03:12 PM, Wietse Venema wrote:
                > Tolga:
                >> Hi,
                >>
                >> I have put line in my main.cf
                >>
                >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
                > In Postfix 2.9, this will result in a warning:
                >
                > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
                >
                > And indeed check_client_access is not a parameter name. Instead, it
                > is used inside smtpd_recipient(etc) restrictions.
                >
                > Wietse
                Thanks Wietse :)
              Your message has been successfully submitted and would be delivered to recipients shortly.