On Thu, 26 Feb 2009, Rocco Scappatura wrote: > I'm trying to use a policy service to limit use of my SMTP gateway > platform 'cause of heavy load that usually means hard delays to transmit > messages. > > The policy service is bound to 10031 TCP port. > > I have so set postfix the use policy service at the and of recipient > restriction and at the end of the end-of-data restriction: > > smtpd_recipient_restrictions = > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > reject_non_fqdn_sender > reject_non_fqdn_recipient > reject_unlisted_sender > reject_unlisted_recipient > reject_unknown_sender_domain > reject_invalid_hostname > reject_rbl_client zen.spamhaus.org > reject_rbl_client list.dsbl.org > check_policy_service inet:127.0.0.1:54000 > check_policy_service inet:127.0.0.1:10031 > > smtpd_end_of_data_restrictions = > check_policy_service inet:127.0.0.1:10031 > > What happens is that if the message is from external message than the > sender is tracked. On the other hand, the sender is not tracked. > > In the first case, the policy service logs says the state is RCPT when the > message is tracked. In the second case, instead, logfile says that the > state is 'END-OF-MESSAGES'. (Why these messages are not matched in the > RCPT stage? Way these messages are neverthless matched at the end of data > stage?).
Messages from internal senders (presumably defined as those in mynetworks or SASL authenticated clients) are OK'd early in smtpd_recipient_restrictions. At this point, smtpd(8) stops evaluating recipient restrictions, so your policy services are not queried in the RCPT TO stage of the SMTP conversation. The smtpd_end_of_data_restrictions are evaluated later, at which point the policy service is queried. > Indeed I would like exactly the contrary (that is, the outgoing messages > have to be checked, while the others not), but I really can't figure out > where I'm wronging. IMHO, setup a submission service on port 587 and force users to relay mail through it. Then, you can call the policy service only for mail arriving via the submission service. -- Sahil Tandon <sa...@tandon.net>
