On 10/19/2011 3:30 PM, Daniel L. Miller wrote: > On 10/19/2011 1:21 PM, Noel Jones wrote: >> On 10/19/2011 3:06 PM, Daniel L. Miller wrote: >>> How can I execute a policy service AFTER successful authentication >>> or local sender verification? >>> >> >> Have your policy service check for existence of sasl_sender or >> sasl_username. >> > If I use that in smtpd_sender_restrictions - where would I place > it? If I place it AFTER "permit_sasl_authenticated" - that would > mean my policy service is never called? If I place it BEFORE that > check, by the time smtpd_sender_restrictions is evaluated, are the > sasl_sender/sasl_username fields filled?
the check_policy_service would need to be the first check in some smtpd_*_restrictions section. Depending on what you're doing it may or may not matter which section. > > Is simply having a non-empty sasl_sender/sasl_username confirmation > of successful sasl authentication - so the policy service doesn't > have to perform any validation of the value beyond non-empty? Would > sasl_method also be a valid test? None of the policy service sasl_* fields will be populated without successful authentication. > What about non-authenticated but valid local sender (via IP range). > Would I do the check in smtpd_client_restrictions - and have the > policy service test client_address? Is there a test I can use to > have Postfix validate the IP - instead of duplicating the IP check? While it might be possible to use a check_client_access table, you're probably better off implementing your "authorized IP" tests in your policy service. -- Noel Jones
