On Tue, Nov 25, 2008 at 02:14:10PM -0800, Quanah Gibson-Mount wrote:
> --On Friday, November 21, 2008 7:49 PM -0800 Quanah Gibson-Mount
> <[EMAIL PROTECTED]> wrote:
>
> >So, I'm guessing not breaking recipient validation means adding aliases,
> >which I can't do, or the above bit about the domain and query, which I
> >also apparently can't do. I'll look into a policy service, thanks!
>
> Ok, I've written a simple perl script policy service, that queries our LDAP
> server if they are using an alias domain, and verifies the recipient
> account exists. If it does, it returns "dunno" as the action to take.
>
> What's the correct action to take if the account doesn't exist? Currently
> I have "defer_if_permit Service temporarily unavailable".
A hard "REJECT" seems more reasonable for invalid recipient addresses.
REJECT 5.1.1 Mailbox unavailable
> Our smtpd_recipient_restrictions are: reject_non_fqdn_recipient,
> permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
> reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender,
> check_policy_service unix:private/policy, permit
>
>
> Finally, although I can test the script just fine from the command line,
> I'm not 100% sure postfix is actually executing it. I added to master.cf:
>
> policy unix - n n - 0 spawn
> user=nobody argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd
> -v
Your script can syslog its activities. The script will only be called for
senders that don't match "mynetworks" and don't have SASL credentials.
> and I modified the smtpd_recipient_restrictions as above, plus added
> policy_time_limit = 3600 to main.cf.
>
> I verified the unix socket exists:
>
> [EMAIL PROTECTED] spool]# cd /opt/zimbra/data/postfix/spool/private/
> [EMAIL PROTECTED] private]# ls -l policy
> srw-rw-rw- 1 postfix postfix 0 Nov 25 11:59 policy
>
> We have: queue_directory = /opt/zimbra/data/postfix/spool so that should be
> the correct location.
>
> However, when I connect to the SMTP port and send an email to a user, I
> don't see that zmpostfixpolicyd is run. Shouldn't it be running on all
> emails that come in, regardless of whether or not it takes action?
You are probably sending from "mynetworks". The script is spawned on
demand (first call to the policy service).
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
