Viktor Dukhovni wrote:
On Mon, Mar 09, 2015 at 04:40:41AM +0000, Mick wrote:
I would not deploy this policy script. It requires a new Perl
process for each request. That's a rather bad idea. It does not
treat the sender address in a case-insensitive manner.
I hadn't thought of that. If the mail server busy, a lot of processes could
end up running. You could limit the number of processes in master.cf though
couldn't you?
I am not talking about concurrency, rather this still costs a Perl
invocation per lookup and Perl start-up time is considerable.
Ah, I see. Thanks for clarifying the difference. I run a PERL script
using spawn to block and group SMTP authenticated senders. Perhaps I
should look into making that script run as a daemon to save PERL start
up time. Haven't a clue how. I guess that's my free time for the next 3
months booked!
The
server might easily have problems under load, especially if you
limit concurrency too much.
True.
I agree running a service would be better. That's way beyond my limited
knowledge though.
That's why I am suggesting a TCP table driver, (or even better SQL).
I find the postfix instruction manual a nightmare, and the write-up on
smtpd_sender_login_maps is no exception. It contains no examples. The
manual is very good at telling you what can be achieved, but is written
for those already in the know I fear. I mean no offence to whoever
wrote the manual. Out of interest to me, and perhaps P.V. who asked the
question in the first place, how would you even start?
smtpd_sender_login_maps = exactly what?
Can you create a text file containing ;
....
a...@domain.tld, f...@domain.tld, g...@domain.tld
b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld
....
Where the left column is the sender address and addresses the right are
sasl users allowed to send on behalf of that sender.
I note a comma can also be white space.
Save text file as "/etc/postfix/failure.1"
convert to DB file
postmap /etc/postfix/failure.1
add to main.cf
check_client_access hash:/etc/postfix/failure.1,
/etc/init.d/postfix reload
Will that work? I may have got that completely wrong. The write-down
mentions two further lookups. user@ and @domain. It was at that point
my eyes shattered from being glazed over ;-) .
With 2.10 use socketmap, and with 2.9 or less the tcp table to
implement smtpd_sender_login_maps. Whichever you use, make it
a persistent service not one process per lookup.
Out of interest, have you any links showing working examples? I doubt it be
as simple as creating a file, postmapping it to a db file and adding
check_sasl_access hash:/etc/postfix/sasl_checks
It's a damn simple protocol, you just need a persistent TCP listener.
I'll have to take your word there, but I like the sound of it being
simple. I will have to have a go at creating one if I find out enough
info to start.
However upgrading to Postfix 2.11 which supports check_sasl_access
is surely easier.
There's even less of a write-up on that so I can't comment. I would
sooner add a list of valid senders to the sasl_username list. Seems more
logical than the other way around. As far as Postfix 2.11 goes, I'm far
too green to wander outside the realms of the regular Debian Wheezy
distro where postfix is currently 2.9.6 despite 2.11 is available via
backport. I think? I will wait.
Thanks for your reply Viktor.
Mick.
