On Thu, Oct 1, 2009 at 11:02 AM, Brian Evans - Postfix List <grkni...@scent-team.com> wrote: > Robert Lopez wrote: <snip> >> check_client_access=hash:/etc/postfix/access >> smtpd_client_restrictions = >> permit_mynetworks >> hash:/etc/postfix/whitelist >> > This is depreciated syntax equivalent to "check_client_access > hash:/etc/postfix/whitelist"
Brian which line is depreciated syntax? >> reject_rbl_client zen.spamhaus.org >> reject_rbl_client bl.spamcop.net >> reject_rbl_client dnsbl.njabl.org >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 >> reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 >> permit >> >> smtpd_sender_restrictions = >> check_sender_access hash:/etc/postfix/greylist >> check_sender_access hash:/etc/postfix/sender_access >> permit_mynetworks >> reject_unknown_sender_domain <snip> >> Right now that ip address example shown above (64.94.244) is in the >> sender_access file (and the sender_access.db) but the log file shows >> events such as this: >> > > You are explicitly asking postfix to check a sender for the file > hash:/etc/postfix/sender_access. "...check a sender for the file..." Are you confirming postfix looks only for a sender-name found in the Reply-To: in the /etc/postfix/sender_access file? > This will never match an IP. Thank you for confirming that point. >> Based upon my understanding of the definitions of the terms I have >> always been uncertain about putting ip blocks in the same file. I have >> been told it has been working practice at this college for years >> before I got here. I need to be certain we are doing the right things > You may put check_client_access to point to the same map in order to > check for an IP. > This is discouraged as that map may be abused in the future. People love > putting all their eggs in one basket. > Abuse can occur if placed in recipient restriction before > reject_unauth_destination with an OK result. > The check_client_access can be placed in sender_restrictions if you like. > I am not clear who you suggest may do the abuse, but I understand your point is it is best to use separate files, each for a single purpose. So is this the implementation you would suggest... check_client_access=hash:/etc/postfix/access_domain check_client_access=hash:/etc/postfix/access_ip where the access_domain file has domain names and the access_ip file has ip addresses? This (from http://www.postfix.org/postconf.5.html) suggests a single file can have multiple uses: "check_client_access type:table Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details." -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
