Loading ...
Sorry, an error occurred while loading the content.

Submission on 587 and check_policy_service

Expand Messages
  • Titanus Eramius
    I have set Postfix only to allow relaying through submission on port 587, and as extra safety, I have installed the PolicyD* service to run some rate limiting,
    Message 1 of 5 , Mar 21, 2013
    • 0 Attachment
      I have set Postfix only to allow relaying through submission on port
      587, and as extra safety, I have installed the PolicyD* service to run
      some rate limiting, and is trying to configure it with Postfix.

      Since the PolicyD service only needs to check mail that gets relayed, I
      am trying to call it from the submission block in master.cf like so:

      submission inet n - - - - smtpd
      ...
      -o ... ,check_policy_service inet:127.0.0.1:10031,reject

      But it does not work. The log gives this:

      "Mar 21 14:16:52 aptget postfix/smtpd[13513]: fatal: parameter
      "smtpd_recipient_restrictions": specify at least one working instance
      of: check_relay_domains, reject_unauth_destination, reject, defer or
      defer_if_permit"

      Is it possible to set this policy service up, so it only gets called
      when mail goes through submission on 587?

      Any pointers will be greatly appreciated


      * http://www.policyd.org

      Postfix version 2.9.3 from Debian backports

      postconf -n
      alias_maps = hash:/etc/aliases

      bounce_template_file = /etc/postfix/bounce.cf

      broken_sasl_auth_clients = yes

      config_directory = /etc/postfix

      delay_warning_time = 4

      disable_vrfy_command = yes

      dovecot_destination_recipient_limit = 1

      inet_interfaces = all

      mailman_destination_recipient_limit = 1

      maximal_queue_lifetime = 15

      message_size_limit = 26214400

      myhostname = aptget.aptget.dk

      mynetworks = 127.0.0.0/8

      postscreen_dnsbl_action = enforce

      postscreen_dnsbl_sites = truncate.gbudb.net*2 b.barracudacentral.org*1
      zen.spamhaus.org*1 bl.spamcop.net*1

      postscreen_dnsbl_threshold = 2

      postscreen_greet_action = enforce

      recipient_canonical_classes = envelope_recipient

      recipient_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
      tcp:127.0.0.1:10002

      sender_canonical_classes = envelope_sender

      sender_canonical_maps = hash:/etc/postfix/pfix-no-srs.cf,
      tcp:127.0.0.1:10001

      smtp_tls_security_level = may

      smtp_tls_session_cache_database =
      btree:$data_directory/smtp_tls_session_cache

      smtpd_data_restrictions = reject_unauth_pipelining,
      reject_multi_recipient_bounce, permit

      smtpd_helo_required = yes

      smtpd_recipient_restrictions = reject_non_fqdn_sender,
      reject_non_fqdn_recipient, reject_unknown_sender_domain,
      reject_unknown_recipient_domain, reject_unauth_destination, permit

      smtpd_sasl_auth_enable = yes

      smtpd_sasl_exceptions_networks = $mynetworks

      smtpd_sasl_path = private/auth

      smtpd_sasl_security_options = noanonymous

      smtpd_sasl_type = dovecot

      smtpd_tls_ask_ccert = yes

      smtpd_tls_cert_file = /etc/ssl/self-signed/smtpd.crt

      smtpd_tls_key_file = /etc/ssl/self-signed/smtpd.key

      smtpd_tls_loglevel = 1

      smtpd_tls_received_header = yes

      smtpd_tls_security_level = may

      smtpd_tls_session_cache_database =
      btree:$data_directory/smtpd_tls_session_cache

      spamassassin_destination_recipient_limit = 1

      tls_random_source = dev:/dev/urandom

      transport_maps = hash:/etc/postfix/transport.cf

      virtual_alias_maps =
      proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

      virtual_gid_maps = static:5000

      virtual_mailbox_base = /home/vmail

      virtual_mailbox_domains =
      proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

      virtual_mailbox_maps =
      proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

      virtual_transport = dovecot

      virtual_uid_maps = static:5000
    • Brian Evans
      ... Change this to -o ... ,check_policy_service,inet:127.0.0.1:10031,reject You cannot use spaces with in-line options in master.cf Brian
      Message 2 of 5 , Mar 21, 2013
      • 0 Attachment
        On 3/21/2013 9:49 AM, Titanus Eramius wrote:
        > I have set Postfix only to allow relaying through submission on port
        > 587, and as extra safety, I have installed the PolicyD* service to run
        > some rate limiting, and is trying to configure it with Postfix.
        >
        > Since the PolicyD service only needs to check mail that gets relayed, I
        > am trying to call it from the submission block in master.cf like so:
        >
        > submission inet n - - - - smtpd
        > ...
        > -o ... ,check_policy_service inet:127.0.0.1:10031,reject

        Change this to "-o ... ,check_policy_service,inet:127.0.0.1:10031,reject"

        You cannot use spaces with in-line options in master.cf

        Brian

        >
        > But it does not work. The log gives this:
        >
        > "Mar 21 14:16:52 aptget postfix/smtpd[13513]: fatal: parameter
        > "smtpd_recipient_restrictions": specify at least one working instance
        > of: check_relay_domains, reject_unauth_destination, reject, defer or
        > defer_if_permit"
        >
        > Is it possible to set this policy service up, so it only gets called
        > when mail goes through submission on 587?
        >
        > Any pointers will be greatly appreciated
        >
      • Titanus Eramius
        Thu, 21 Mar 2013 12:25:24 -0400 skrev Brian Evans ... Thank you for help, it was spot on. Cheers, Titanus
        Message 3 of 5 , Mar 21, 2013
        • 0 Attachment
          Thu, 21 Mar 2013 12:25:24 -0400 skrev Brian Evans
          <grknight@...>:

          > > submission inet n - - - - smtpd
          > > ...
          > > -o ... ,check_policy_service inet:127.0.0.1:10031,reject
          >
          > Change this to
          > "-o ... ,check_policy_service,inet:127.0.0.1:10031,reject"
          >
          > You cannot use spaces with in-line options in master.cf
          >
          > Brian

          Thank you for help, it was spot on.

          Cheers, Titanus
        • Wietse Venema
          ... In recent Postfix versions the master(5) manpage says: -o name=value Override the named main.cf configuration parameter. The parameter value can refer to
          Message 4 of 5 , Mar 21, 2013
          • 0 Attachment
            Titanus Eramius:
            > I have set Postfix only to allow relaying through submission on port
            > 587, and as extra safety, I have installed the PolicyD* service to run
            > some rate limiting, and is trying to configure it with Postfix.
            >
            > Since the PolicyD service only needs to check mail that gets relayed, I
            > am trying to call it from the submission block in master.cf like so:
            >
            > submission inet n - - - - smtpd
            > ...
            > -o ... ,check_policy_service inet:127.0.0.1:10031,reject
            >
            > But it does not work. The log gives this:

            In recent Postfix versions the master(5) manpage says:

            -o name=value
            Override the named main.cf configuration parameter. The
            parameter value can refer to other parameters as $name
            etc., just like in main.cf. See postconf(5) for syntax.

            NOTE 1: do not specify whitespace around the "=" or in
            parameter values. To specify a parameter value that con-
            tains whitespace, use commas instead of spaces, or spec-
            ify the value in main.cf. Example:

            /etc/postfix/master.cf:
            submission inet .... smtpd
            -o smtpd_mumble=$submission_mumble

            /etc/postfix/main.cf
            submission_mumble = text with whitespace...

            Instead of "mumble" use "recipient_restrictions" etc.

            This recommendation was added 1-2 years ago.

            Wietse
          • Benny Pedersen
            ... i still have to see why sending one msg pr day is a strong policy well postfix supports syslog (TM) :) and most syslogd nowadays support sql, got it ? all
            Message 5 of 5 , Mar 24, 2013
            • 0 Attachment
              Titanus Eramius skrev den 2013-03-21 14:49:
              > I have set Postfix only to allow relaying through submission on port
              > 587, and as extra safety, I have installed the PolicyD* service to
              > run
              > some rate limiting, and is trying to configure it with Postfix.

              i still have to see why sending one msg pr day is a strong policy

              well postfix supports syslog (TM) :)

              and most syslogd nowadays support sql, got it ?

              all that is left now is a postfix sql query based on sender restriction

              who will begin a guide wiki on this ?, i will be one that follow and
              commit to it if more can follow me :)
            Your message has been successfully submitted and would be delivered to recipients shortly.