Quick question… I finally decided to build a web UI for our support guys to be able to manually kill relaying for compromised accounts using the new check_sasl_access (http://www.postfix.org/postconf.5.html#check_sasl_access) feature introduced in 2.11.
A thread regarding this is here: http://thread.gmane.org/gmane.mail.postfix.user/245474 So this does work - in my main mail account db table I added a column. If it’s empty, then the user is OK. If it contains something like “REJECT 5.7.1 Account Compromised”, then that error is returned to the sender, and all is well. My main.cf checks look like this, with this check coming first: smtpd_recipient_restrictions = check_sasl_access proxy:mysql:$config_directory/sasl-access.cf check_policy_service inet:127.0.0.1:10031, # policyd permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination sasl-access.cf looks like this: hosts = 10.88.77.xx 10.88.77.xx user = xxxx password = xxxx dbname = vpopmail query = SELECT postfix_deny FROM vpopmail WHERE pw_name='%u' AND pw_domain='%d’; As noted, this functions well, but Postfix does not like the empty answer when there’s no match: Sep 17 12:27:16 smtp1 postfix/proxymap[46006]: warning: table "mysql:/usr/local/etc/postfix/sasl-access.cf": empty lookup result for: “x...@example.com" — ignored I briefly considered putting some kind of positive response as the default then realized that would short circuit my other checks (I think?). Is there a value I can return that will quell this warning but not allow any sasl-auth’d user to relay if the other checks would have blocked them? Thanks, Charles
