Re: check_client_access

Sun, 01 Feb 2009 08:26:24 -0800 

>> How do I have to modify it so that I could block an email address either
>> if is the sender or one of the recipients, AND either if the message is
>> incoming or outgoing?
>>
>> Maybe so (assuming that the action will never be "OK")...
>>
>> smtpd_client_restrictions =
>>     check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>
>> smtpd_helo_restrictions =
>> smtpd_sender_restrictions =
>>     check_sender_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>     check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>
>> smtpd_recipient_restrictions =
>>     check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
> this one is already in smtpd_sender_restrictions, so just remove it
>

I can't remove it because this lookup return "reject_unverified_address"
for the domains that I maintain but for wich I have no a list of valid
recipient:

query = select restriction from domain where domain='%s'

maybe could I put both lookups in smtpd_sender_restrictions?

    check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf

is it ok?

>>     check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>
> what's this for? it's already in smtpd_client_restrictions, so you may
> or may not need it here.

It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
trhough my SMTP gateway). I need it.

>
>>     permit_mynetworks
>>     permit_sasl_authenticated
>>     check_policy_service inet:127.0.0.1:54000
>
> what's this for? you probably want to put this after
> reject_unauth_destination.

postgrey

>
> remember: reject_unauth_destination is what prevents open relay. so
> avoid putting a lot of stuff before it, because you increase the risks.
>
> and reject_unauth_destination is a very safe a very cheap check, so it's
>  good to have it as soon as possible.
>
>>     reject_unauth_destination
>> .
>> .
>> .
>>
>> Or you have another configuration to propose the is safer?
>>
>
> see above.
>
> as a general "rule of thumb", put anti-spam checks (I'm talking about
> inbound spam. outbound spam is a different subject) after
> reject_unauth_destination, and put "general restrictions" (that also
> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

thanks,

rocsca

Reply via email to