Loading ...
Sorry, an error occurred while loading the content.

cbpolicyd on 465/submission ports with postfix 2.10+

Expand Messages
  • Quanah Gibson-Mount
    I recently tweaked my settings for my postfix configuration so that I have the following defined for the 465 & submission port smtpds: -o
    Message 1 of 4 , May 8 12:49 PM
    • 0 Attachment
      I recently tweaked my settings for my postfix configuration so that I have
      the following defined for the 465 & submission port smtpds:

      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o smtpd_end_of_data_restrictions=

      However, this broke cbpolicyd checking on those ports. I believe the
      correct solution is to just set:

      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

      and allow the postconf setting for smtpd_end_of_data_restrictions to apply:

      $ postconf smtpd_end_of_data_restrictions
      smtpd_end_of_data_restrictions = check_policy_service inet:localhost:10031

      I.e., I believe I should leave smtpd_recipient_restrictions and
      smtpd_relay_restrictions unchanged for 465/submission. Does that seem
      correct?

      Thanks,
      Quanah

      --

      Quanah Gibson-Mount
      Sr. Member of Technical Staff
      Zimbra, Inc
      A Division of VMware, Inc.
      --------------------
      Zimbra :: the leader in open source messaging and collaboration
    • Wietse Venema
      ... This overrides main.cf:smtpd_end_of_data_restrictions. ... This does not override main.cf:smtpd_end_of_data_restrictions. I suppose that s what makes the
      Message 2 of 4 , May 8 2:29 PM
      • 0 Attachment
        Quanah Gibson-Mount:
        > I recently tweaked my settings for my postfix configuration so that I have
        > the following defined for the 465 & submission port smtpds:
        >
        > -o smtpd_recipient_restrictions=
        > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        > -o smtpd_end_of_data_restrictions=
        >
        > However, this broke cbpolicyd checking on those ports.

        This overrides main.cf:smtpd_end_of_data_restrictions.

        > I believe the correct solution is to just set:
        >
        > -o smtpd_recipient_restrictions=
        > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

        This does not override main.cf:smtpd_end_of_data_restrictions.

        I suppose that's what makes the difference.

        Wietse
      • Noel Jones
        ... Probably the best solution is to explicitly set all the smtpd_*_restrictions options for submission/smtps in master.cf, so that changes in main.cf don t
        Message 3 of 4 , May 8 2:31 PM
        • 0 Attachment
          On 5/8/2013 2:49 PM, Quanah Gibson-Mount wrote:
          > I recently tweaked my settings for my postfix configuration so that
          > I have the following defined for the 465 & submission port smtpds:
          >
          > -o smtpd_recipient_restrictions=
          > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          > -o smtpd_end_of_data_restrictions=
          >
          > However, this broke cbpolicyd checking on those ports. I believe
          > the correct solution is to just set:
          >
          > -o smtpd_recipient_restrictions=
          > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          >
          > and allow the postconf setting for smtpd_end_of_data_restrictions to
          > apply:
          >
          > $ postconf smtpd_end_of_data_restrictions
          > smtpd_end_of_data_restrictions = check_policy_service
          > inet:localhost:10031
          >
          > I.e., I believe I should leave smtpd_recipient_restrictions and
          > smtpd_relay_restrictions unchanged for 465/submission. Does that
          > seem correct?
          >

          Probably the best solution is to explicitly set all the
          smtpd_*_restrictions options for submission/smtps in master.cf, so
          that changes in main.cf don't cause surprises with user submissions.


          # main.cf
          submission_end_of_data = check_policy_service inet:localhost:10031

          # master.cf
          submission ... smtpd
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          -o smtpd_recipient_restrictions=
          -o smtpd_data_restrictions=
          -o smtpd_end_of_data_restrictions=$submission_end_of_data
          -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
          -o syslog_name=postfix/submission
          -o milter_macro_daemon_name=ORIGINATING

          smtps ... smtpd
          (copy of the above settings)
          -o syslog_name=postfix/smtps
          -o smtpd_tls_wrappermode=yes



          -- Noel Jones
        • Quanah Gibson-Mount
          --On Wednesday, May 08, 2013 5:29 PM -0400 Wietse Venema ... Thanks! It didn t seem necessary to me to also have cbpolicyd check in
          Message 4 of 4 , May 8 2:36 PM
          • 0 Attachment
            --On Wednesday, May 08, 2013 5:29 PM -0400 Wietse Venema
            <wietse@...> wrote:

            >> I believe the correct solution is to just set:
            >>
            >> -o smtpd_recipient_restrictions=
            >> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
            >
            > This does not override main.cf:smtpd_end_of_data_restrictions.
            >
            > I suppose that's what makes the difference.


            Thanks! It didn't seem necessary to me to also have cbpolicyd check in
            smtpd_recipient_restrictions on those ports (as is done with port 25).

            --Quanah

            --

            Quanah Gibson-Mount
            Sr. Member of Technical Staff
            Zimbra, Inc
            A Division of VMware, Inc.
            --------------------
            Zimbra :: the leader in open source messaging and collaboration
          Your message has been successfully submitted and would be delivered to recipients shortly.