Re: Apply policy service for inbound mail only.

Sat, 22 Sep 2012 06:10:29 -0700 

Le 20/09/2012 05:05, Brock Henry a écrit :
> I still can't quite get my head around it. I am fairly new to Postfix.
> 
> If a user connects via SASL, they get permitted too early, and miss out on
> the check_policy_service.
> 
> smtpd_recipient_restrictions =
> ...
>         permit_sasl_authenticated,
>         reject_unauth_destination,
>         check_policy_service unix:private/checkfull,
> ...
> 
> I can't work out the combination of rules that will give me what I want.
> 
> What I want.
> 1) non sasl, incoming mail permitted, and seen by checkfull.
> 2) non sasl, outgoing mail (from inside) permitted, not seen by checkfull.
> 3) non sasl, outgoing mail (from outside) rejected (not be an open relay,
> obviously)
> 4) sasl, outgoing permitted, not seen by checkfull
> 5) sasl, incoming permitted, seen by checkfull
> 
> Restriction classes may do what I want, but I'm not sure. I will
> investigate that option.
> 

it is easier to rephrase your needs.

if I understand, you want to implent this:
1- you allow the "usual" stuff (from mynetworks, from sasl, to your
domains); and
2- for mail to your domains, you check policy except if it's from mynetwoks

then implement the first under smtpd_recipient_restrictions as usual
and the second using restriction classes. for safety, use another
smtpd_mumble_restrictions for this (an error could make you an open
relay). I am assuming smtpd_delay_reject=yes.



smtpd_restriction_classes =
        ...
        policy_checkfull

smtpd_sender_restrictions =
        permit_mynetworks
        check_recipient_access hash:/etc/postfix/mydomains_checkfull

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        ...

policy_checkfull =
        check_policy_service unix:private/checkfull


=== cat mydomains_checkfull.hash:
joe@mydomain1.example           DUNNO
mydomain1.example       policy_checkfull
.mydomain1.example      policy_checkfull
mydomain2.example       policy_checkfull
.mydomain2.example      policy_checkfull
mydomain3.example       policy_checkfull
.mydomain3.example      policy_checkfull

Note 1. if you don't mind the call to checkfull, then better let it
manage the "complexity". See Joel post

Note 2. I voluntarily ignored the goal of your policy service. quota
checking is not a simple problem (multi-recipient mail, multiple mails
coming at the same time, ...).


> Thanks, Brock
> PS: Thanks for the tip about _data_ treatment of recipients.
>

Reply via email to