On 12/6/2012 5:26 PM, Dan Lists wrote: > On Thu, Dec 6, 2012 at 5:09 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> On 12/6/2012 4:29 PM, Dan Lists wrote: >>> We relay email for our customers. They had some accounts Phished. I >>> wanted to hold email from those users so I could see the spam that was >>> going out and requeue the valid email. >>> >>> In main.cf I have: >>> >>> smtpd_sender_restrictions = >>> check_sender_access hash:$config_directory/sender_domains, >>> reject >>> >>> sender_domains has: >>> >>> u...@domain.tld HOLD >>> domain.tld OK >>> >>> What u...@domain.tld sends email I get: >>> >>> Dec 6 16:14:26 mailserver postfix/smtpd[47661]: NOQUEUE: hold: RCPT >>> from clientserv[12.34.56.78]: <u...@domain.tld>: Sender address >>> triggers HOLD action; from=<u...@domain.tld> to=<re...@other.dom> >>> proto=ESMTP helo=<clientserv> >>> Dec 6 16:14:26 mailserver postfix/smtpd[47661]: NOQUEUE: reject: RCPT >>> from clientserv[12.34.56.78]: 554 5.7.1 <u...@domain.tld>: Sender >>> address rejected: Access denied; from=<u...@domain.tld> >>> to=<re...@other.dom> proto=ESMTP helo=<clientserv> >>> >>> What am I doing wrong? >> >> Just a misconception... HOLD does not immediately freeze the >> message, nor does it instruct postfix to accept the message. >> Processing continues and a later restriction can still reject the >> message. > > Interesting. It worked when I did something similar in > smtpd_client_restrictions. > > smtpd_client_restrictions = > check_client_access hash:$config_directory/client_access > > client_access: > 12.34.56.78 HOLD > > Is that because the smtpd_client_restrictions does not have reject listed?
If the message was accepted and placed on hold, then it didn't hit any reject rules in any of the smtpd_*_restrictions, nor in header/body checks. > >> Probably the easiest solution here it to create your own HOLD_OK >> action so it works as you expect. >> >> # main.cf >> smtpd_restriction_classes = >> HOLD_OK >> >> HOLD_OK = >> reject_unauth_destination >> check_client_access static:hold >> permit > > We are relaying for them, so I assume I would want to leave out > reject_unauth_destinaion. Yes, I was assuming it was internal mail. -- Noel Jones > >> >> Then, in your sender_domain file, >> u...@domain.tld HOLD_OK >> domain.tld OK >> >> >> -- Noel Jones
