On 9/17/12 4:15 PM, /dev/rob0 wrote:
On Mon, Sep 17, 2012 at 03:51:03PM -0500, l...@airstreamcomm.net wrote:
We would like to block a couple ranges of ips before a sasl login is
able to happen. Smtpd_recipient_restrictions looks like this:
smtpd_recipient_restrictions =
permit_mynetworks,
check_client_access cidr:/etc/postfix/restricted
If the blocked IP address is in the cidr:/etc/postfix/restricted map
with a reject result, it might do what you want.
permit_sasl_authenticated,
check_client_access mysql:/etc/postfix/authb4smtp.cf,
If it is returned by the mysql:/etc/postfix/authb4smtp.cf query, it
will not do anything useful, because you already passed
"permit_sasl_authenticated".
reject_unauth_destination
Just want to confirm this configuration will reject connections
before sasl is allowed.
I'm thinking you want to reject mail from a user which will be
authenticated. But what you SAY here is "reject *connections* before
sasl is allowed."
If you mean what I think you mean, see above. If you mean exactly
what you say, see the other posts in the thread (I think I'd go for
the firewall blocking, personally.)
Also would it make more sense to put the
check_client_access cidr:/etc/postfix/restricted in
smtpd_client_restrictions instead?
Maybe. See
http://www.postfix.org/SMTPD_ACCESS_README.html
Thanks for the reply. Essentially we would like to be able to reject
mail from ip ranges and log the rejected mail so we can tell where it
was coming from, hence the idea to set an cidr range to reject in
/etc/postfix/restricted. We disable authentication per username based
on the query for auth in dovecot, so that is handled in the
permit_sasl_authenticated phase. Just to clarify, if the IP is rejected
in the check_client_access /etc/postfix/restricted, none of the
following rules in smtpd_recipient_restrictions should apply to that
message correct?
