On Feb 27, 2009, at 3:58 AM, "Rocco Scappatura" <rocco.scappat...@infracom.it
> wrote:
Thanks Sahil for your precious answer,
I'm trying to use a policy service to limit use of my SMTP gateway
platform 'cause of heavy load that usually means hard delays to
transmit
messages.
The policy service is bound to 10031 TCP port.
I have so set postfix the use policy service at the and of recipient
restriction and at the end of the end-of-data restriction:
smtpd_recipient_restrictions =
check_client_access proxy:mysql:/etc/postfix/mysql-check-client-
access.cf
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unlisted_sender
reject_unlisted_recipient
reject_unknown_sender_domain
reject_invalid_hostname
reject_rbl_client zen.spamhaus.org
reject_rbl_client list.dsbl.org
check_policy_service inet:127.0.0.1:54000
check_policy_service inet:127.0.0.1:10031
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:10031
What happens is that if the message is from external message than
the
sender is tracked. On the other hand, the sender is not tracked.
In the first case, the policy service logs says the state is RCPT
when the
message is tracked. In the second case, instead, logfile says that
the
state is 'END-OF-MESSAGES'. (Why these messages are not matched in
the
RCPT stage? Way these messages are neverthless matched at the end of
data
stage?).
Messages from internal senders (presumably defined as those in
mynetworks or
SASL authenticated clients) are OK'd early in
smtpd_recipient_restrictions.
At this point, smtpd(8) stops evaluating recipient restrictions, so
your
policy services are not queried in the RCPT TO stage of the SMTP
conversation. The smtpd_end_of_data_restrictions are evaluated
later,
at
which point the policy service is queried.
So, first of all policy service (port 54000) and the second (port
10031)
have to be switched.. And then I have to move the policy services
before
of check_client_access (which return OK if the IP client is enabled to
relay messages trhough my platform). But I fear that this is a little
bit dangerous.. Maybe I have to mome the check policy in an early
stage?
Indeed I would like exactly the contrary (that is, the outgoing
messages
have to be checked, while the others not), but I really can't figure
out
where I'm wronging.
IMHO, setup a submission service on port 587 and force users to relay
mail
through it. Then, you can call the policy service only for mail
arriving via
the submission service.
No, your ideas is not feasible. Anyway, why the messages from "my
network" (i.e.: from the IP which are enabled to relay messages
trhough
my platform) are not passed to policy service when are checked against
"smtpd_end_of_data_restrictions"?
They should be passed to the policy server, unless mail is not being
submitted via SMTP but instead pickup, another instance of Postfix,
etc. In your previous email you seem to suggest (I can't be certain
due to language issues) that email from internal senders *is* logged
in policy server logs in the END OF DATA stage.
