Thanks Sahil for your precious answer, > > I'm trying to use a policy service to limit use of my SMTP gateway > > platform 'cause of heavy load that usually means hard delays to > transmit > > messages. > > > > The policy service is bound to 10031 TCP port. > > > > I have so set postfix the use policy service at the and of recipient > > restriction and at the end of the end-of-data restriction: > > > > smtpd_recipient_restrictions = > > check_client_access proxy:mysql:/etc/postfix/mysql-check-client- > access.cf > > permit_mynetworks > > permit_sasl_authenticated > > reject_unauth_destination > > reject_non_fqdn_sender > > reject_non_fqdn_recipient > > reject_unlisted_sender > > reject_unlisted_recipient > > reject_unknown_sender_domain > > reject_invalid_hostname > > reject_rbl_client zen.spamhaus.org > > reject_rbl_client list.dsbl.org > > check_policy_service inet:127.0.0.1:54000 > > check_policy_service inet:127.0.0.1:10031 > > > > smtpd_end_of_data_restrictions = > > check_policy_service inet:127.0.0.1:10031 > > > > What happens is that if the message is from external message than the > > sender is tracked. On the other hand, the sender is not tracked. > > > > In the first case, the policy service logs says the state is RCPT > when the > > message is tracked. In the second case, instead, logfile says that > the > > state is 'END-OF-MESSAGES'. (Why these messages are not matched in > the > > RCPT stage? Way these messages are neverthless matched at the end of > data > > stage?). > > Messages from internal senders (presumably defined as those in > mynetworks or > SASL authenticated clients) are OK'd early in > smtpd_recipient_restrictions. > At this point, smtpd(8) stops evaluating recipient restrictions, so > your > policy services are not queried in the RCPT TO stage of the SMTP > conversation. The smtpd_end_of_data_restrictions are evaluated later, > at > which point the policy service is queried.
So, first of all policy service (port 54000) and the second (port 10031) have to be switched.. And then I have to move the policy services before of check_client_access (which return OK if the IP client is enabled to relay messages trhough my platform). But I fear that this is a little bit dangerous.. Maybe I have to mome the check policy in an early stage? > > Indeed I would like exactly the contrary (that is, the outgoing > messages > > have to be checked, while the others not), but I really can't figure > out > > where I'm wronging. > > IMHO, setup a submission service on port 587 and force users to relay > mail > through it. Then, you can call the policy service only for mail > arriving via > the submission service. No, your ideas is not feasible. Anyway, why the messages from "my network" (i.e.: from the IP which are enabled to relay messages trhough my platform) are not passed to policy service when are checked against "smtpd_end_of_data_restrictions"? rocsca
