Loading ...
Sorry, an error occurred while loading the content.

Best practice for implementing an policy service on submission port

Expand Messages
  • Quanah Gibson-Mount
    Previous to Postfix 2.10 and the split between smtpd_relay_restrictions and smtpd_recipient_restrictions, our policy service check was in
    Message 1 of 4 , Sep 4, 2013
    • 0 Attachment
      Previous to Postfix 2.10 and the split between smtpd_relay_restrictions and
      smtpd_recipient_restrictions, our policy service check was in
      smtpd_recipient_restrictions, and applied to both incoming and outgoing
      mail. With 2.10, in my efforts to do things correctly, I have left the
      policy service on port 25 with smtpd_recipient_restrictions, but for the
      submission port I have:

      -o smtpd_recipient_restrictions=

      to strip it out. However, one of the things the policy service
      (cluebringer/cpbolicyd) offers is rate limiting, which some clients want to
      implement on their outgoing email.

      Now, I could modify master.cf so it has:

      -o smtpd_recipient_restrictions=<policy service bits>

      but I was wondering if, for the submission port, there was a different
      recommended method.

      Thanks,
      Quanah

      --

      Quanah Gibson-Mount
      Lead Engineer
      Zimbra, Inc
      --------------------
      Zimbra :: the leader in open source messaging and collaboration
    • Viktor Dukhovni
      ... To avoid being in a state of sin, you should only put relay control in smtpd_relay_restrictions. All other controls go elsewhere. Given the default
      Message 2 of 4 , Sep 4, 2013
      • 0 Attachment
        On Wed, Sep 04, 2013 at 01:06:52PM -0700, Quanah Gibson-Mount wrote:

        > Previous to Postfix 2.10 and the split between
        > smtpd_relay_restrictions and smtpd_recipient_restrictions, our
        > policy service check was in smtpd_recipient_restrictions, and
        > applied to both incoming and outgoing mail. With 2.10, in my
        > efforts to do things correctly, I have left the policy service on
        > port 25 with smtpd_recipient_restrictions, but for the submission
        > port I have:
        >
        > -o smtpd_recipient_restrictions=
        >
        > to strip it out. However, one of the things the policy service
        > (cluebringer/cpbolicyd) offers is rate limiting, which some clients
        > want to implement on their outgoing email.
        >
        > Now, I could modify master.cf so it has:
        >
        > -o smtpd_recipient_restrictions=<policy service bits>
        >
        > but I was wondering if, for the submission port, there was a
        > different recommended method.

        To avoid being in a state of sin, you should only put relay control
        in smtpd_relay_restrictions. All other controls go elsewhere. Given
        the default setting of smtpd_delay_reject, you have many choices.

        smtpd_client_restrictions
        smtpd_helo_restrictions
        smtpd_sender_restrictions
        smtpd_recipient_restrictions

        avoid putting explicit definitions of these in master.cf, instead:

        -o smtpd_client_restrictions=$submission_client_restrictions
        -o smtpd_helo_restrictions=$submission_helo_restrictions
        -o smtpd_sender_restrictions=$submission_sender_restrictions
        -o smtpd_relay_restrictions=$submission_relay_restrictions
        -o smtpd_recipient_restrictions=$submission_recipient_restrictions

        and define these in main.cf. Place non-relay controls in any of the four
        classes that make most sense to you.

        --
        Viktor.
      • /dev/rob0
        ... Do you have the same cbpolicyd handling both submission and MX? I suppose that s fine, but it makes your policies a bit harder to maintain and master. If
        Message 3 of 4 , Sep 4, 2013
        • 0 Attachment
          On Wed, Sep 04, 2013 at 01:06:52PM -0700, Quanah Gibson-Mount wrote:
          > Previous to Postfix 2.10 and the split between
          > smtpd_relay_restrictions and smtpd_recipient_restrictions, our
          > policy service check was in smtpd_recipient_restrictions, and
          > applied to both incoming and outgoing mail. With 2.10, in my
          > efforts to do things correctly, I have left the policy service on
          > port 25 with smtpd_recipient_restrictions, but for the submission
          > port I have:
          >
          > -o smtpd_recipient_restrictions=
          >
          > to strip it out. However, one of the things the policy service
          > (cluebringer/cpbolicyd) offers is rate limiting, which some clients
          > want to implement on their outgoing email.
          >
          > Now, I could modify master.cf so it has:
          >
          > -o smtpd_recipient_restrictions=<policy service bits>
          >
          > but I was wondering if, for the submission port, there was a
          > different recommended method.

          Do you have the same cbpolicyd handling both submission and MX? I
          suppose that's fine, but it makes your policies a bit harder to
          maintain and master.

          If so, I think I'd move it off to some other restriction stage that
          could be shared among both/all smtpd instances.

          smtpd_sender_restrictions=<policy service bits>

          (and no -o to unset it for submission)
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Quanah Gibson-Mount
          --On Wednesday, September 04, 2013 3:21 PM -0500 /dev/rob0 ... Yeah, we do it this way currently, and in looking at this, it did occur to me that we really
          Message 4 of 4 , Sep 4, 2013
          • 0 Attachment
            --On Wednesday, September 04, 2013 3:21 PM -0500 "/dev/rob0"
            <rob0@...> wrote:

            > On Wed, Sep 04, 2013 at 01:06:52PM -0700, Quanah Gibson-Mount wrote:
            >> Previous to Postfix 2.10 and the split between
            >> smtpd_relay_restrictions and smtpd_recipient_restrictions, our
            >> policy service check was in smtpd_recipient_restrictions, and
            >> applied to both incoming and outgoing mail. With 2.10, in my
            >> efforts to do things correctly, I have left the policy service on
            >> port 25 with smtpd_recipient_restrictions, but for the submission
            >> port I have:
            >>
            >> -o smtpd_recipient_restrictions=
            >>
            >> to strip it out. However, one of the things the policy service
            >> (cluebringer/cpbolicyd) offers is rate limiting, which some clients
            >> want to implement on their outgoing email.
            >>
            >> Now, I could modify master.cf so it has:
            >>
            >> -o smtpd_recipient_restrictions=<policy service bits>
            >>
            >> but I was wondering if, for the submission port, there was a
            >> different recommended method.
            >
            > Do you have the same cbpolicyd handling both submission and MX? I
            > suppose that's fine, but it makes your policies a bit harder to
            > maintain and master.

            Yeah, we do it this way currently, and in looking at this, it did occur to
            me that we really should have two separate instances, one for incoming and
            one for outgoing, in the long term.

            > If so, I think I'd move it off to some other restriction stage that
            > could be shared among both/all smtpd instances.
            >
            > smtpd_sender_restrictions=<policy service bits>
            >
            > (and no -o to unset it for submission)

            Ok, thanks!

            --Quanah

            --

            Quanah Gibson-Mount
            Lead Engineer
            Zimbra, Inc
            --------------------
            Zimbra :: the leader in open source messaging and collaboration
          Your message has been successfully submitted and would be delivered to recipients shortly.