Loading ...
Sorry, an error occurred while loading the content.

Re: check_client_access

Expand Messages
  • mouss
    ... sorry, I didn t notice that it was a different map. ... yes. ... check_foo_access checks only one map. so you need to do it like this:
    Message 1 of 17 , Feb 1 9:32 AM
    • 0 Attachment
      Rocco Scappatura a écrit :
      >
      > Sorry,
      >
      >>>> How do I have to modify it so that I could block an email address
      >>>> either
      >>>> if is the sender or one of the recipients, AND either if the message is
      >>>> incoming or outgoing?
      >>>>
      >>>> Maybe so (assuming that the action will never be "OK")...
      >>>>
      >>>> smtpd_client_restrictions =
      >>>> check_client_access
      >>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >>>>
      >>>> smtpd_helo_restrictions =
      >>>> smtpd_sender_restrictions =
      >>>> check_sender_access
      >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>> check_recipient_access
      >>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>>
      >>>> smtpd_recipient_restrictions =
      >>>> check_recipient_access
      >>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>> this one is already in smtpd_sender_restrictions, so just remove it
      >>>
      >> I can't remove it

      sorry, I didn't notice that it was a different map.

      > because this lookup return "reject_unverified_address"
      >> for the domains that I maintain but for wich I have no a list of valid
      >> recipient:
      >>
      >> query = select restriction from domain where domain='%s'
      >>
      >> maybe could I put both lookups in smtpd_sender_restrictions?
      >>

      yes.

      >> check_recipient_access
      >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >
      > I'm saying:
      >
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >

      check_foo_access checks only one map. so you need to do it like this:

      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      check_recipient_access
      proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf


      >> is it ok?
      >>
      >>>> check_client_access
      >>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      >>> what's this for? it's already in smtpd_client_restrictions, so you may
      >>> or may not need it here.
      >> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
      >> trhough my SMTP gateway). I need it.
      >>

      that's ok.

      >>>> permit_mynetworks
      >>>> permit_sasl_authenticated
      >>>> check_policy_service inet:127.0.0.1:54000
      >>> what's this for? you probably want to put this after
      >>> reject_unauth_destination.
      >> postgrey
      >>

      then put it at the end. no point to greylist a relay attempt.

      >>> remember: reject_unauth_destination is what prevents open relay. so
      >>> avoid putting a lot of stuff before it, because you increase the risks.
      >>>
      >>> and reject_unauth_destination is a very safe a very cheap check, so it's
      >>> good to have it as soon as possible.
      >>>
      >>>> reject_unauth_destination
      >>>> .
      >>>> .
      >>>> .
      >>>>
      >>>> Or you have another configuration to propose the is safer?
      >>>>
      >>> see above.
      >>>
      >>> as a general "rule of thumb", put anti-spam checks (I'm talking about
      >>> inbound spam. outbound spam is a different subject) after
      >>> reject_unauth_destination, and put "general restrictions" (that also
      >>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
      >> thanks,
      >>
      >> rocsca
      >>
      >>
      >
      >
    • Rocco Scappatura
      Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
      Message 2 of 17 , Feb 1 3:25 PM
      • 0 Attachment
        Mouss,

        >>>>> How do I have to modify it so that I could block an email address
        >>>>> either
        >>>>> if is the sender or one of the recipients, AND either if the message
        >>>>> is
        >>>>> incoming or outgoing?
        >>>>>
        >>>>> Maybe so (assuming that the action will never be "OK")...
        >>>>>
        >>>>> smtpd_client_restrictions =
        >>>>> check_client_access
        >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
        >>>>>
        >>>>> smtpd_helo_restrictions =
        >>>>> smtpd_sender_restrictions =
        >>>>> check_sender_access
        >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>>>> check_recipient_access
        >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>>>>
        >>>>> smtpd_recipient_restrictions =
        >>>>> check_recipient_access
        >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >>>> this one is already in smtpd_sender_restrictions, so just remove it
        >>>>
        >>> I can't remove it
        >
        > sorry, I didn't notice that it was a different map.
        >
        >> because this lookup return "reject_unverified_address"
        >>> for the domains that I maintain but for wich I have no a list of valid
        >>> recipient:
        >>>
        >>> query = select restriction from domain where domain='%s'
        >>>
        >>> maybe could I put both lookups in smtpd_sender_restrictions?
        >>>
        >
        > yes.
        >
        >>> check_recipient_access
        >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
        >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        >>
        >> I'm saying:
        >>
        >> check_recipient_access
        >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
        >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >>
        >
        > check_foo_access checks only one map. so you need to do it like this:
        >
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
        > check_recipient_access
        > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
        >
        >
        >>> is it ok?
        >>>
        >>>>> check_client_access
        >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
        >>>> what's this for? it's already in smtpd_client_restrictions, so you may
        >>>> or may not need it here.
        >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
        >>> trhough my SMTP gateway). I need it.
        >>>
        >
        > that's ok.
        >
        >>>>> permit_mynetworks
        >>>>> permit_sasl_authenticated
        >>>>> check_policy_service inet:127.0.0.1:54000
        >>>> what's this for? you probably want to put this after
        >>>> reject_unauth_destination.
        >>> postgrey
        >>>
        >
        > then put it at the end. no point to greylist a relay attempt.
        >
        >>>> remember: reject_unauth_destination is what prevents open relay. so
        >>>> avoid putting a lot of stuff before it, because you increase the
        >>>> risks.
        >>>>
        >>>> and reject_unauth_destination is a very safe a very cheap check, so
        >>>> it's
        >>>> good to have it as soon as possible.
        >>>>
        >>>>> reject_unauth_destination
        >>>>> .
        >>>>> .
        >>>>> .
        >>>>>
        >>>>> Or you have another configuration to propose the is safer?
        >>>>>
        >>>> see above.
        >>>>
        >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
        >>>> inbound spam. outbound spam is a different subject) after
        >>>> reject_unauth_destination, and put "general restrictions" (that also
        >>>> apply to your users) in one of
        >>>> smtpd_(client|helo|sender)_restrictions.

        All works fine.. Annie is OK! ;-)

        Thanks,

        rocsca
      • Tolga
        Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
        Message 3 of 17 , Jul 22, 2012
        • 0 Attachment
          Hi,

          I have put line in my main.cf

          check_client_access = cidr:/etc/postfix/sinokorea.cidr

          I then restarted postfix, but I can't see it in postconf -n. How come?

          For reference: my postconf -n output is:

          [root@vps ~]# postconf -n
          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          append_dot_mydomain = no
          biff = no
          broken_sasl_auth_clients = yes
          config_directory = /etc/postfix
          html_directory = /usr/share/doc/postfix/html
          inet_interfaces = all
          mailbox_command = procmail -a "$EXTENSION"
          mailbox_size_limit = 0
          mydestination = localhost
          myhostname = mail.bilgisayarciniz.org
          mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
          myorigin = /etc/mailname
          readme_directory = /usr/share/doc/postfix
          recipient_delimiter = +
          relayhost =
          smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
          smtpd_recipient_restrictions = permit_sasl_authenticated,
          permit_mynetworks, reject_unauth_destination,
          reject_non_fqdn_hostname, reject_non_fqdn_sender,
          reject_non_fqdn_recipient, reject_unauth_pipelining,
          reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
          reject_rbl_client xbl.spamhaus.org
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_local_domain = $myhostname
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
          virtual_gid_maps = static:5000
          virtual_mailbox_base = /srv/vmail
          virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
          virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
          virtual_minimum_uid = 100
          virtual_transport = virtual
          virtual_uid_maps = static:5000

          Regards,
        • Wietse Venema
          ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
          Message 4 of 17 , Jul 22, 2012
          • 0 Attachment
            Tolga:
            > Hi,
            >
            > I have put line in my main.cf
            >
            > check_client_access = cidr:/etc/postfix/sinokorea.cidr

            In Postfix 2.9, this will result in a warning:

            postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

            And indeed check_client_access is not a parameter name. Instead, it
            is used inside smtpd_recipient(etc) restrictions.

            Wietse
          • Tolga
            ... Thanks Wietse :)
            Message 5 of 17 , Jul 22, 2012
            • 0 Attachment
              On 07/22/2012 03:12 PM, Wietse Venema wrote:
              > Tolga:
              >> Hi,
              >>
              >> I have put line in my main.cf
              >>
              >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
              > In Postfix 2.9, this will result in a warning:
              >
              > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
              >
              > And indeed check_client_access is not a parameter name. Instead, it
              > is used inside smtpd_recipient(etc) restrictions.
              >
              > Wietse
              Thanks Wietse :)
            Your message has been successfully submitted and would be delivered to recipients shortly.