On 1/29/2014 7:12 AM, Alessio Cecchi wrote:
> Il 29/01/2014 14:05, Wietse Venema ha scritto:
>> Alessio Cecchi:
>>> Il 28/01/2014 18:01, Marc B ha scritto:
>>>>
>>>> Hi,
>>>>
>>>> I've got a small issue with our Postfix Relay which doesn't use the
>>>> Policyd-Weight daemon or Tumgreyspf which it should. The
>>>> Policy-Weight
>>>> daemon is running and listen if I test it and the config has no
>>>> errors
>>>> but still Postfix just ignores the policy service and proceeds
>>>> the mail
>>>> to Amavis.
>>>
>>> [...]
>>>
>>>> smtpd_recipient_restrictions = permit_sasl_authenticated,
>>>> permit_mynetworks, reject_unauth_destination,
>>>> check_recipient_access
>>>> hash:/etc/postfix/relaydomains, check_policy_service
>>>> unix:private/tumgreyspf, check_policy_service inet:127.0.0.1:12525
>>>
>>> You must set check_policy_service as first check:
>>
>> DO NOT DO THIS. NEVER.
>
> Ok I understand!
>
> But if I need to enforce some policy (example for send rate limit)
> for authenticated the "check_policy_service" can be left as a last
> check?
>
> Thanks
For postfix 2.9 and earlier:
If you need to apply the policy check to mynetworks or authenticated
users, put it as the first check in smtpd_{client, helo, sender,
data}_restrictions, but never as the first check in
smtpd_recipient_restrictions. Ignoring this advice can make you an
open relay.
For postfix 2.10 and newer:
If you use the new smtpd_relay_restrictions to control relay access,
it's then safe to put a policy check first in
smtpd_recipient_restrictions.
-- Noel Jones
