I still can't quite get my head around it. I am fairly new to Postfix.
If a user connects via SASL, they get permitted too early, and miss out on
the check_policy_service.
smtpd_recipient_restrictions =
...
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/checkfull,
...
I can't work out the combination of rules that will give me what I want.
What I want.
1) non sasl, incoming mail permitted, and seen by checkfull.
2) non sasl, outgoing mail (from inside) permitted, not seen by checkfull.
3) non sasl, outgoing mail (from outside) rejected (not be an open relay,
obviously)
4) sasl, outgoing permitted, not seen by checkfull
5) sasl, incoming permitted, seen by checkfull
Restriction classes may do what I want, but I'm not sure. I will
investigate that option.
Thanks, Brock
PS: Thanks for the tip about _data_ treatment of recipients.
On Wednesday, 19 September 2012, Wietse Venema <wie...@porcupine.org> wrote:
> On Wed, Sep 19, 2012 at 02:24:13PM +1000, Brock Henry wrote:
>> I have created a policy service, which checks quota, returning
>> 'reject' if the mailbox is full, and 'dunno' otherwise.
>>
>> smtpd_(data|recipient)_restrictions =
>> check_policy_service unix:private/checkfull
>>
>> And it's all working fine.
>>
>> However, I only want that policy to trigger for incoming mail -
>> mail for which I am the final destination.
>>
>> For outgoing mail (from my customers to elsewhere), I don't want to
>> trigger that policy at all.
>>
>> I can't work out how I can do that.
>
> Short reply:
>
> Use the check_policy_service command after reject_unauth_destination.
>
> Long reply:
>
> Conceptually, smtpd_mumble_restrictions implements a sequence of
> filters.
>
> In this case, reject_unauth_destination filters out all destinations
> that you aren't primary or backup MX host for.
>
> So, by the time that evaluation reaches check_policy_service after
> reject_unauth_destination, there are no outgoing mail destinations.
>
> Wietse
>
