Le 17/09/2012 23:26, l...@airstreamcomm.net a écrit :
> On 9/17/12 4:15 PM, /dev/rob0 wrote:
>> On Mon, Sep 17, 2012 at 03:51:03PM -0500, l...@airstreamcomm.net wrote:
>>> We would like to block a couple ranges of ips before a sasl login is
>>> able to happen. Smtpd_recipient_restrictions looks like this:
>>>
>>> smtpd_recipient_restrictions =
>>> permit_mynetworks,
>>> check_client_access cidr:/etc/postfix/restricted
>> If the blocked IP address is in the cidr:/etc/postfix/restricted map
>> with a reject result, it might do what you want.
>>
>>> permit_sasl_authenticated,
>>> check_client_access mysql:/etc/postfix/authb4smtp.cf,
>> If it is returned by the mysql:/etc/postfix/authb4smtp.cf query, it
>> will not do anything useful, because you already passed
>> "permit_sasl_authenticated".
>>
>>> reject_unauth_destination
>>>
>>> Just want to confirm this configuration will reject connections
>>> before sasl is allowed.
>> I'm thinking you want to reject mail from a user which will be
>> authenticated. But what you SAY here is "reject *connections* before
>> sasl is allowed."
>>
>> If you mean what I think you mean, see above. If you mean exactly
>> what you say, see the other posts in the thread (I think I'd go for
>> the firewall blocking, personally.)
>>
>>> Also would it make more sense to put the
>>> check_client_access cidr:/etc/postfix/restricted in
>>> smtpd_client_restrictions instead?
>> Maybe. See
>> http://www.postfix.org/SMTPD_ACCESS_README.html
> Thanks for the reply. Essentially we would like to be able to reject
> mail from ip ranges and log the rejected mail so we can tell where it
> was coming from, hence the idea to set an cidr range to reject in
> /etc/postfix/restricted. We disable authentication per username based
> on the query for auth in dovecot, so that is handled in the
> permit_sasl_authenticated phase. Just to clarify, if the IP is rejected
> in the check_client_access /etc/postfix/restricted, none of the
> following rules in smtpd_recipient_restrictions should apply to that
> message correct?
>
yes.
but as Wietse said, this doen't prevent user from trying to auth.
by default smtpd_{client,hello,sender,recipient}_restrictions are
applied at RCPT (recipient) time. don't change this behaviour unless you
know what you do.
