Loading ...
Sorry, an error occurred while loading the content.

Virtual Aliases + check_policy_service

Expand Messages
  • Cassidy Larson
    I m trying to get check_policy_service working right by returning an error on a full mailbox to avoid back scatter. The check_policy_service works fine,
    Message 1 of 4 , Jul 13, 2013
    • 0 Attachment
      I'm trying to get check_policy_service working right by returning an error on a full mailbox to avoid back scatter.  The check_policy_service works fine, except when it comes to virtual alias mappings. When running the check_policy_service on the virtual alias user my smtpd_recipient_restrictions throws back a:

      554 5.7.1 <alias@...>: Recipient address rejected: Unknown user

      smtpd_recipient_restrictions =
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        reject_unauth_destination,
        check_policy_service inet:10.10.10.10:12340,
        permit_auth_destination,
        reject

      Is there any way of permitting virtual users before the check_policy_user on the smtpd_recipient_restrictions?  Or is there another place I should be doing the check_policy_service Quota check?

      The goal is to reject over-quota mailboxes before the message is accepted, but currently it's rejecting valid Virtual Alias addresses.

      Any solutions or pointers?

      Thanks,

      -c
    • Wietse Venema
      ... Unknown user is not a Postfix response. You must be getting that text from the policy service. Wietse
      Message 2 of 4 , Jul 13, 2013
      • 0 Attachment
        Cassidy Larson:
        > I'm trying to get check_policy_service working right by returning an error
        > on a full mailbox to avoid back scatter. The check_policy_service works
        > fine, except when it comes to virtual alias mappings. When running the
        > check_policy_service on the virtual alias user my
        > smtpd_recipient_restrictions throws back a:
        >
        > 554 5.7.1 <alias@...>: Recipient address rejected: Unknown user

        "Unknown user" is not a Postfix response. You must be getting
        that text from the policy service.

        Wietse

        > smtpd_recipient_restrictions =
        > reject_non_fqdn_recipient,
        > reject_unlisted_recipient,
        > reject_unauth_destination,
        > check_policy_service inet:10.10.10.10:12340,
        > permit_auth_destination,
        > reject
        >
        > Is there any way of permitting virtual users before the check_policy_user
        > on the smtpd_recipient_restrictions? Or is there another place I should be
        > doing the check_policy_service Quota check?
        >
        > The goal is to reject over-quota mailboxes before the message is accepted,
        > but currently it's rejecting valid Virtual Alias addresses.
        >
        > Any solutions or pointers?
        >
        > Thanks,
        >
        > -c
      • Cassidy Larson
        Figured it out. Returning a DUNNO from the policy service for valid under-quota and unknown users causes postfix to proceed to the checking of aliases/users.
        Message 3 of 4 , Jul 13, 2013
        • 0 Attachment
          Figured it out. Returning a "DUNNO" from the policy service for valid under-quota and unknown users causes postfix to proceed to the checking of aliases/users.  This allows the mailbox over-quota rejection to work successfully for valid users, and allows virtual aliases to be accepted while denying messages to over-quota users.   Although aliases that deliver to an over-quota user are also accepted, but that's another investigative trip to the manual. Thanks.


          On Sat, Jul 13, 2013 at 6:09 PM, Wietse Venema <wietse@...> wrote:
          Cassidy Larson:
          > I'm trying to get check_policy_service working right by returning an error
          > on a full mailbox to avoid back scatter.  The check_policy_service works
          > fine, except when it comes to virtual alias mappings. When running the
          > check_policy_service on the virtual alias user my
          > smtpd_recipient_restrictions throws back a:
          >
          > 554 5.7.1 <alias@...>: Recipient address rejected: Unknown user

          "Unknown user" is not a Postfix response. You must be getting
          that text from the policy service.

                  Wietse

          > smtpd_recipient_restrictions =
          >   reject_non_fqdn_recipient,
          >   reject_unlisted_recipient,
          >   reject_unauth_destination,
          >   check_policy_service inet:10.10.10.10:12340,
          >   permit_auth_destination,
          >   reject
          >
          > Is there any way of permitting virtual users before the check_policy_user
          > on the smtpd_recipient_restrictions?  Or is there another place I should be
          > doing the check_policy_service Quota check?
          >
          > The goal is to reject over-quota mailboxes before the message is accepted,
          > but currently it's rejecting valid Virtual Alias addresses.
          >
          > Any solutions or pointers?
          >
          > Thanks,
          >
          > -c

        • Wietse Venema
          ... You may be able to reject over-quota aliased recipients by using reject_unverified_recipient . This requires that the message store rejects mail for
          Message 4 of 4 , Jul 13, 2013
          • 0 Attachment
            Cassidy Larson:
            > Figured it out. Returning a "DUNNO" from the policy service for valid
            > under-quota and unknown users causes postfix to proceed to the checking of
            > aliases/users. This allows the mailbox over-quota rejection to work
            > successfully for valid users, and allows virtual aliases to be accepted
            > while denying messages to over-quota users. Although aliases that deliver
            > to an over-quota user are also accepted, but that's another investigative
            > trip to the manual. Thanks.

            You may be able to reject over-quota aliased recipients by using
            "reject_unverified_recipient". This requires that the message store
            rejects mail for over-quota recipients without accepting the message.

            reject_unverified_recipient uses a cache, so it is not significantly
            more expensive than asking a policy daemon.

            See also: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

            Wietse
          Your message has been successfully submitted and would be delivered to recipients shortly.