Rocco Scappatura a écrit :
>
> Sorry,
>
>>>> How do I have to modify it so that I could block an email address
>>>> either
>>>> if is the sender or one of the recipients, AND either if the message is
>>>> incoming or outgoing?
>>>>
>>>> Maybe so (assuming that the action will never be "OK")...
>>>>
>>>> smtpd_client_restrictions =
>>>> check_client_access
>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>>>
>>>> smtpd_helo_restrictions =
>>>> smtpd_sender_restrictions =
>>>> check_sender_access
>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>>> check_recipient_access
>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>>>
>>>> smtpd_recipient_restrictions =
>>>> check_recipient_access
>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>>> this one is already in smtpd_sender_restrictions, so just remove it
>>>
>> I can't remove it
sorry, I didn't notice that it was a different map.
> because this lookup return "reject_unverified_address"
>> for the domains that I maintain but for wich I have no a list of valid
>> recipient:
>>
>> query = select restriction from domain where domain='%s'
>>
>> maybe could I put both lookups in smtpd_sender_restrictions?
>>
yes.
>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>
> I'm saying:
>
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
check_foo_access checks only one map. so you need to do it like this:
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>> is it ok?
>>
>>>> check_client_access
>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>>> what's this for? it's already in smtpd_client_restrictions, so you may
>>> or may not need it here.
>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
>> trhough my SMTP gateway). I need it.
>>
that's ok.
>>>> permit_mynetworks
>>>> permit_sasl_authenticated
>>>> check_policy_service inet:127.0.0.1:54000
>>> what's this for? you probably want to put this after
>>> reject_unauth_destination.
>> postgrey
>>
then put it at the end. no point to greylist a relay attempt.
>>> remember: reject_unauth_destination is what prevents open relay. so
>>> avoid putting a lot of stuff before it, because you increase the risks.
>>>
>>> and reject_unauth_destination is a very safe a very cheap check, so it's
>>> good to have it as soon as possible.
>>>
>>>> reject_unauth_destination
>>>> .
>>>> .
>>>> .
>>>>
>>>> Or you have another configuration to propose the is safer?
>>>>
>>> see above.
>>>
>>> as a general "rule of thumb", put anti-spam checks (I'm talking about
>>> inbound spam. outbound spam is a different subject) after
>>> reject_unauth_destination, and put "general restrictions" (that also
>>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
>> thanks,
>>
>> rocsca
>>
>>
>
>
