Ronald F. Guilmette:
> >In the case of a Postfix-only solution, whitelist updates could be
> >generated by mis-using smtp_generic_maps, relocated_maps, etc. (add
> >an address if it isn't already "known")
>
> Could you be induced to elaborate on the above comment, hopefully at
> length?
With a socketmap daemon:
/etc/postfix/main.cf:
relocated_maps = socketmap:inet:host:port:name
relocated_maps = socketmap:unix:pathname:name
This queries relocated_maps for every envelope recipient before
email delivery.
You provide a server that runs on the specified TCP host and port
(or UNIX-domain socket) that speaks the socketmap protocol, and
that answers all queries with "not found". The socketmap protocol
is described in the socketmap_table(5) manpage. There is a Python
socketmap implementation.
This server maintains a persistent database, adding an (address,
suitable Postfix access map reply, see below) entry if the database
entry does not already exist. The database could be MySQL, LMDB,
but not any version of Berkeley DB > 1.85 because that does not
work with Postfix locks.
The database is queried with check_sender_access, and returns the
suitable reply value that was stored by the socketmap server.
If you use an MySQL database then your server can also maintain a
"last update" time-stamp field with each address and reply so that
an inactive address can be recognized as "too old". When an active
address entry is mid-way towards expiration, the socketmap server
updates the time stamp to prevent the address from becoming "too
old".
If you use an LMDB database then your server has to implement the
Postfix external locking protocol as described in lmdb_table(5).
LMDB built-in locks are not suitable (they require a world-writable
lockfile, and that would violate the Postfix security model).
Wietse
