Re: policyd-weight not used

Wed, 29 Jan 2014 08:13:16 -0800

Created a restriction_classes rule which handles the policy checks now and I can keep the default restrictions. 

[...]
smtpd_restriction_classes =
        check_policy_domains

check_policy_domains =
        check_policy_service unix:private/tumgreyspf,
        check_policy_service inet:127.0.0.1:12525

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unknown_sender_domain,
        reject_unknown_helo_hostname,
        reject_unknown_recipient_domain,
        check_recipient_access hash:/etc/postfix/check_policy_domains.cf
[...]

So far it seems working, according to the logfiles.


Quoting Noel Jones <njo...@megan.vbhcs.org>:


On 1/29/2014 7:12 AM, Alessio Cecchi wrote:

Il 29/01/2014 14:05, Wietse Venema ha scritto:

Alessio Cecchi:

Il 28/01/2014 18:01, Marc B ha scritto:


Hi,

I've got a small issue with our Postfix Relay which doesn't use the
Policyd-Weight daemon or Tumgreyspf which it should. The
Policy-Weight
daemon is running and listen if I test it and the config has no
errors
but still Postfix just ignores the policy service and proceeds
the mail
to Amavis.


[...]


smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination,
check_recipient_access
hash:/etc/postfix/relaydomains, check_policy_service
unix:private/tumgreyspf, check_policy_service inet:127.0.0.1:12525


You must set check_policy_service as first check:


DO NOT DO THIS. NEVER.


Ok I understand!

But if I need to enforce some policy (example for send rate limit)
for authenticated the "check_policy_service" can be left as a last
check?

Thanks


For postfix 2.9 and earlier:
If you need to apply the policy check to mynetworks or authenticated
users, put it as the first check in smtpd_{client, helo, sender,
data}_restrictions, but never as the first check in
smtpd_recipient_restrictions. Ignoring this advice can make you an
open relay.

For postfix 2.10 and newer:
If you use the new smtpd_relay_restrictions to control relay access,
it's then safe to put a policy check first in
smtpd_recipient_restrictions.




  -- Noel Jones

Reply via email to