On 2/10/2011 11:58 PM, Gary Smith wrote:
-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Gary Smith
Sent: Thursday, February 10, 2011 8:34 PM
To: 'postfix-users@postfix.org'
Subject: hold after permit question
I have clients relaying email through a set of servers but I wanted to put a
hold in there based on specific circumstances (such as they are sending too
much data, so lets hold and inspect). I have a hash file
(/etc/postfix/maps/hold) that is dynamically updated from a central server. So
when the need calls, an entry domain.tld HOLD is added to the file and
postmap'ed).
So, where do I need to put the hash file in the overall scheme of things in
order to get it to hold after they have authed into the system? I was thinking
of setting up an alternate port on localhost that basically has this:
smtpd_client_restrictions=hash:/etc/postfix/maps/hold,allow
smtpd_recipient_restrictions=hash:/etc/postfix/maps/hold,allow
relay_host=
Okay, playing around, this looks like it works how I would like it. The hold
seems to take place after the authenticated connection on the sender address,
which is what we want. Also, for the incoming email server, everything is
pretty much reject so I put the hold at the end, before the default implicit
permit. What I really need is a reject_unauthenticated_sender so I can just do
reject_unauthenticated_sender,hash:/etc/postfix/maps/hold/,permit (or something
like that) for the smtpd_client_restrictions. Also, if you could eyeball any
obvious problems with the incoming server smtpd_recipient_restrictions, I'll
take any feedback.
HOLD always take place last, and only accepted mail is put on
HOLD. Since this server is for user submission and all mail
is either authenticated or rejected, it doesn't matter too
much where you put the hold.
Does smtpd_recipeint_restrictions make sense here for authentication
connections?
Outgoing server:
smtpd_sender_restrictions=hash:/etc/postfix/maps/hold,permit
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Caution: if someone ever sets the non-standard
'smtpd_delay_reject=no' the above line will reject connections
before the user has a chance to authenticate. In this case I
suggest removing smtpd_client_restrictions.
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
This line is sufficient to limit access to mynetworks and
authenticated users.
Incoming server:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unknown_sender_domain,
reject_unauth_destination,
hash:/etc/postfix/custom/access,<-- this has some specific internal blocks
(reject some senders that spam our clients)
hash:/etc/postfix/custom/postmaster,<-- postmaster@ accept, abuse@ accept,
etc
The above two hash tables use deprecated syntax where
check_recipient_access is assumed. Far better to explicitly
state what the table is checking.
check_recipient_access hash:/etc/postfix/custom/access
check_recipient_access hash:/etc/postfix/custom/postmaster
Even better, combine the files into a single table to save
some memory.
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unknown_sender_domain,
no need to repeat this restriction.
reject_invalid_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client rhsbl.ahbl.org,
check_policy_service inet:10.0.40.4:21111,<-- sqlgrey
reject_unauth_pipelining,
hash:/etc/postfix/maps/hold
-- Noel Jones
