On 2/25/2014 7:50 PM, CSS wrote: > On Feb 25, 2014, at 7:35 PM, Noel Jones wrote: > >> On 2/25/2014 6:06 PM, CSS wrote: >>> >>> I wonder if you could do this with a simple policy server? IIRC, >>> the helo is one of the bits of data passed to the policy server, and >>> logging the IP, to/from, helo and a few other things seems like it >>> would be pretty simple. And just return an OK. Of course it would >>> be a totally separate log file, but you'd have the data and you >>> wouldn't have to alter the postfix source. >> >> Yes, that's possible. Make sure your policy service always returns >> DUNNO, not OK, to postfix. But having a separate log seems messy. > > Just to make sure I understand this, DUNNO is going to let any > further policy checks happen, OK would stop the match and any > further checks would not happen (which would be bad), correct? > Bear with me, I've skated along with minimal knowledge of Postfix > for years and have just started ingesting the docs on the policy > stuff…
"DUNNO" tells postfix to continue processing as if no match was found. As your policy service must process each message, this is always a safe response. http://www.postfix.org/access.5.html "OK" tells postfix to stop processing and permit the client. At best, this invalidates any checks after the policy service; at worst, it can make you an open relay. Careful placement of a global OK can be safe, but no need to play with fire. http://www.postfix.org/SMTPD_ACCESS_README.html#danger > I don't think I'd personally implement such a thing, although I am > now thinking it might be nifty to try my hand at a simple statistics > gathering policy server as a little exercise in putting such a thing > together. I know you can grab lots of information with various log > analysis tools, but as an exercise it might be fun. Yes, this would be an interesting learning exercise. If you had more time to kill you could dump it to a database and generate some nifty reports. >>> Also a quick question on the patch below - if you're running >>> postscreen, and it has decided a sending host is "bad", will the >>> connection ever hit the real smtpd daemon and be logged? >> >> Postfix always includes the helo (if available) in a reject log >> entry, whether the reject happens in postscreen or elsewhere. No >> patch needed for that. > > Good to know, thanks. Wietse confirmed what I was assuming was > true, that in the very specific case of the patch that was posted, > it would not see any connections that postscreen blocked. It's a very simple patch. All it does is change the existing "client" log entry to include the helo hostname. No new log line, no new behavior other than a few bytes added to an existing log entry. -- Noel Jones
