Loading ...
Sorry, an error occurred while loading the content.

Re: check_client_access

Expand Messages
  • Rocco Scappatura
    Mouss, ... All works fine.. Annie is OK! ;-) Thanks, rocsca
    Message 1 of 17 , Feb 1, 2009
    • 0 Attachment
      Mouss,

      >>>>> How do I have to modify it so that I could block an email address
      >>>>> either
      >>>>> if is the sender or one of the recipients, AND either if the message
      >>>>> is
      >>>>> incoming or outgoing?
      >>>>>
      >>>>> Maybe so (assuming that the action will never be "OK")...
      >>>>>
      >>>>> smtpd_client_restrictions =
      >>>>> check_client_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
      >>>>>
      >>>>> smtpd_helo_restrictions =
      >>>>> smtpd_sender_restrictions =
      >>>>> check_sender_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>>> check_recipient_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>>>>
      >>>>> smtpd_recipient_restrictions =
      >>>>> check_recipient_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>>> this one is already in smtpd_sender_restrictions, so just remove it
      >>>>
      >>> I can't remove it
      >
      > sorry, I didn't notice that it was a different map.
      >
      >> because this lookup return "reject_unverified_address"
      >>> for the domains that I maintain but for wich I have no a list of valid
      >>> recipient:
      >>>
      >>> query = select restriction from domain where domain='%s'
      >>>
      >>> maybe could I put both lookups in smtpd_sender_restrictions?
      >>>
      >
      > yes.
      >
      >>> check_recipient_access
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      >>
      >> I'm saying:
      >>
      >> check_recipient_access
      >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
      >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >>
      >
      > check_foo_access checks only one map. so you need to do it like this:
      >
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
      > check_recipient_access
      > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
      >
      >
      >>> is it ok?
      >>>
      >>>>> check_client_access
      >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
      >>>> what's this for? it's already in smtpd_client_restrictions, so you may
      >>>> or may not need it here.
      >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
      >>> trhough my SMTP gateway). I need it.
      >>>
      >
      > that's ok.
      >
      >>>>> permit_mynetworks
      >>>>> permit_sasl_authenticated
      >>>>> check_policy_service inet:127.0.0.1:54000
      >>>> what's this for? you probably want to put this after
      >>>> reject_unauth_destination.
      >>> postgrey
      >>>
      >
      > then put it at the end. no point to greylist a relay attempt.
      >
      >>>> remember: reject_unauth_destination is what prevents open relay. so
      >>>> avoid putting a lot of stuff before it, because you increase the
      >>>> risks.
      >>>>
      >>>> and reject_unauth_destination is a very safe a very cheap check, so
      >>>> it's
      >>>> good to have it as soon as possible.
      >>>>
      >>>>> reject_unauth_destination
      >>>>> .
      >>>>> .
      >>>>> .
      >>>>>
      >>>>> Or you have another configuration to propose the is safer?
      >>>>>
      >>>> see above.
      >>>>
      >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
      >>>> inbound spam. outbound spam is a different subject) after
      >>>> reject_unauth_destination, and put "general restrictions" (that also
      >>>> apply to your users) in one of
      >>>> smtpd_(client|helo|sender)_restrictions.

      All works fine.. Annie is OK! ;-)

      Thanks,

      rocsca
    • Tolga
      Hi, I have put line in my main.cf check_client_access = cidr:/etc/postfix/sinokorea.cidr I then restarted postfix, but I can t see it in postconf -n. How come?
      Message 2 of 17 , Jul 22, 2012
      • 0 Attachment
        Hi,

        I have put line in my main.cf

        check_client_access = cidr:/etc/postfix/sinokorea.cidr

        I then restarted postfix, but I can't see it in postconf -n. How come?

        For reference: my postconf -n output is:

        [root@vps ~]# postconf -n
        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases
        append_dot_mydomain = no
        biff = no
        broken_sasl_auth_clients = yes
        config_directory = /etc/postfix
        html_directory = /usr/share/doc/postfix/html
        inet_interfaces = all
        mailbox_command = procmail -a "$EXTENSION"
        mailbox_size_limit = 0
        mydestination = localhost
        myhostname = mail.bilgisayarciniz.org
        mynetworks = 127.0.0.0/8 127.0.0.2/32 109.232.0.0/16
        myorigin = /etc/mailname
        readme_directory = /usr/share/doc/postfix
        recipient_delimiter = +
        relayhost =
        smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
        smtpd_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks, reject_unauth_destination,
        reject_non_fqdn_hostname, reject_non_fqdn_sender,
        reject_non_fqdn_recipient, reject_unauth_pipelining,
        reject_invalid_hostname, reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client xbl.spamhaus.org
        smtpd_sasl_auth_enable = yes
        smtpd_sasl_local_domain = $myhostname
        smtpd_sasl_path = private/auth
        smtpd_sasl_security_options = noanonymous
        smtpd_sasl_type = dovecot
        virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
        virtual_gid_maps = static:5000
        virtual_mailbox_base = /srv/vmail
        virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
        virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
        virtual_minimum_uid = 100
        virtual_transport = virtual
        virtual_uid_maps = static:5000

        Regards,
      • Wietse Venema
        ... In Postfix 2.9, this will result in a warning: postconf: warning: /etc/postfix/main.cf: unused parameter:
        Message 3 of 17 , Jul 22, 2012
        • 0 Attachment
          Tolga:
          > Hi,
          >
          > I have put line in my main.cf
          >
          > check_client_access = cidr:/etc/postfix/sinokorea.cidr

          In Postfix 2.9, this will result in a warning:

          postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr

          And indeed check_client_access is not a parameter name. Instead, it
          is used inside smtpd_recipient(etc) restrictions.

          Wietse
        • Tolga
          ... Thanks Wietse :)
          Message 4 of 17 , Jul 22, 2012
          • 0 Attachment
            On 07/22/2012 03:12 PM, Wietse Venema wrote:
            > Tolga:
            >> Hi,
            >>
            >> I have put line in my main.cf
            >>
            >> check_client_access = cidr:/etc/postfix/sinokorea.cidr
            > In Postfix 2.9, this will result in a warning:
            >
            > postconf: warning: /etc/postfix/main.cf: unused parameter: check_client_access=cidr:/etc/postfix/sinokorea.cidr
            >
            > And indeed check_client_access is not a parameter name. Instead, it
            > is used inside smtpd_recipient(etc) restrictions.
            >
            > Wietse
            Thanks Wietse :)
          Your message has been successfully submitted and would be delivered to recipients shortly.