On Apr 9, 2014, at 9:17 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Thu, Apr 10, 2014 at 02:38:32AM +0000, Rob Tanner wrote:
>
>> The policyd daemon is a perfect tool for setting quotas (i.e., number
>> of message per hour, day, etc). The problem is that we depend
>> heavily of Postfix's extraordinary ability to do LDAP based aliasing
>> of groups and when it each resulting message get counting against
>> the sender. Is there some nice trick I can do so that the
>> check_policy_service runs only once, before the lists are exploded?
>
> You can run the relevant policy check from smtpd_data_restrictions
> instead of smtpd_recipient_restrictions. The alias expansion clearly
> takes place upstream since policyd processing in smtpd(8) preceeds
> virtual alias expansion in cleanup(8).
>
Changed the main.cf, removing the check_policy_service parameter from
smtpd_recipient_restrictions and moved it to smtpd_data_restrictions as
following:
smtpd_data_restrictions =
check_policy_service inet:127.0.0.1:10031
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:10031
The result was that policyd never saw any messages. There were no cbpolicyd log
entries in the maillog. I put the check_policy_service parameter back under
smtpd_recipient_restrictions and policyd immediately began tracking the quotas
again. Something else must be required.
I’m open to any and all suggestions.
~ Rob
>> smtpd_recipient_restrictions =
>> hash:/etc/postfix/protected_destinations,proxy:ldap:limittag
>> check_client_access hash:/etc/postfix/client_checks
>> check_policy_service inet:127.0.0.1:10031
>> permit_mynetworks
>> reject_unauth_destination
>> reject_invalid_hostname
>> reject_non_fqdn_recipient
>> reject_unknown_sender_domain
>> reject_unknown_recipient_domain
>> reject
>>
>> smtpd_end_of_data_restrictions =
>> check_policy_service inet:127.0.0.1:10031
>
> This is both too early and too late. Apply the relevant check in
> smtpd_data_restrictions, however you won't see each recipient in
> turn. It may also be possible to detect multiple recipients for
> the same envelope in a policy request and consildate the counts.
>
> --
> Viktor.
