> -----Original Message----- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] > On Behalf Of Gary Smith > Sent: Thursday, February 10, 2011 8:34 PM > To: 'postfix-users@postfix.org' > Subject: hold after permit question > > I have clients relaying email through a set of servers but I wanted to put a > hold in there based on specific circumstances (such as they are sending too > much data, so lets hold and inspect). I have a hash file > (/etc/postfix/maps/hold) that is dynamically updated from a central server. So > when the need calls, an entry domain.tld HOLD is added to the file and > postmap'ed). > > So, where do I need to put the hash file in the overall scheme of things in > order to get it to hold after they have authed into the system? I was thinking > of setting up an alternate port on localhost that basically has this: > > smtpd_client_restrictions=hash:/etc/postfix/maps/hold,allow > smtpd_recipient_restrictions=hash:/etc/postfix/maps/hold,allow > relay_host= >
Okay, playing around, this looks like it works how I would like it. The hold seems to take place after the authenticated connection on the sender address, which is what we want. Also, for the incoming email server, everything is pretty much reject so I put the hold at the end, before the default implicit permit. What I really need is a reject_unauthenticated_sender so I can just do reject_unauthenticated_sender,hash:/etc/postfix/maps/hold/,permit (or something like that) for the smtpd_client_restrictions. Also, if you could eyeball any obvious problems with the incoming server smtpd_recipient_restrictions, I'll take any feedback. Does smtpd_recipeint_restrictions make sense here for authentication connections? Outgoing server: smtpd_sender_restrictions=hash:/etc/postfix/maps/hold,permit smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject Incoming server: smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unauth_destination, hash:/etc/postfix/custom/access, <-- this has some specific internal blocks (reject some senders that spam our clients) hash:/etc/postfix/custom/postmaster, <-- postmaster@ accept, abuse@ accept, etc reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unknown_sender_domain, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client rhsbl.ahbl.org, check_policy_service inet:10.0.40.4:21111, <-- sqlgrey reject_unauth_pipelining, hash:/etc/postfix/maps/hold
