Hi,
Since, they as we might, folks still respond to phishing attacks with their
email name and password, at least I can mitigate the damage to our network
reputation when the bad boys use what they’ve caught as a vehicle for sending
out 1000’s of SPAM messages. The policyd daemon is a perfect tool for setting
quotas (i.e., number of message per hour, day, etc). The problem is that we
depend heavily of Postfix’s extraordinary ability to do LDAP based aliasing of
groups and when it each resulting message get counting against the sender. Is
there some nice trick I can do so that the check_policy_service runs only once,
before the lists are exploded?
Immediately below is the configuration that evokes policyd and below that is
the for a one to one alias (i.e., the uid returns a single address) and below
that is a configuration that reads an LDAP group record with multiple DNs as a
uniquemember (a multiply occurring attribute) and each DN results in a single
mail address (i.e., a one to many alias).
smtpd_helo_restrictions =
smtpd_client_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations,proxy:ldap:limittag
check_client_access hash:/etc/postfix/client_checks
check_policy_service inet:127.0.0.1:10031
permit_mynetworks
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
reject
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:10031
ldaptag_server_host = $default_ldap_host
ldaptag_bind_dn = <the DN>
ldaptag_bind_pw = <the password>
ldaptag_search_base = o=linfield.edu<http://linfield.edu>
ldaptag_query_filter = (uid=%s)
ldaptag_result_attribute = mailRoutingAddress
grouptag_server_host = $default_ldap_host
grouptag_bind_dn = <the DN>
grouptag_bind_pw = <the password>
grouptag_search_base = ou=groups,o=linfield.edu<http://linfield.edu>
grouptag_query_filter = (&(|(mailLocalAddress=%s)(uid=%s)))
grouptag_special_result_attribute = uniquemember
grouptag_result_attribute = mailRoutingAddress
Any help would be greatly appreciated.
Thanks.
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
ITS will never ask you for your password. Please don’t share yours with anyone!
