Re: Default actions on restrictions

Thu, 19 Mar 2015 18:02:24 -0700 

On Thu, Mar 19, 2015 at 08:16:26PM +0000, Nick Howitt wrote:

> I am trying to set up authentication on 587 and I'm struggling with the
> postfix implementation in ClearOS. I have a restriction:
> 
>    smtpd_recipient_restrictions =
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       reject_unknown_recipient_domain,
>       reject_unauth_pipelining,
>       reject_invalid_hostname,
>       reject_non_fqdn_hostname,
>       reject_non_fqdn_sender,
>       reject_non_fqdn_recipient,
>       reject_unauth_destination,
>       reject_rbl_client zen.spamhaus.org,
>       reject_rbl_client bl.spamcop.net,
>       reject_rbl_client 2.0.0.127.b.barracudacentral.org,
>       permit
> 
> But when I make certain changes it adds
> 
>      , check_policy_service unix:/var/spool/postfix/postgrey/socket
> 
> to the end of it. Postfix then throws an error saying there is no point
> adding anything after a "permit" instruction. I filed a bug with ClearOS
> but their response is that they use a standard "postconf" tool rather than
> their own script. 

This response is nonsense. if they simply append to whatever happens
to be in your recipient restrictions, expecting that to do something
useful, that's an all too naive approach.  Just because there
happens to be a "postconf -e" command that makes it possible to do
the wrong thing, does not mean that they are off the hook for
misusing it.

With recipient restrictions one needs to either build the whole
thing or leave it alone.

This sort of thing would be easier if one could add new top-level
restriction classes (evaluated independently of client, helo,
sender, relay, recipient, data and end_of_data restrictions) however
there's not been much demand for that feature to date.

        # New top-level restrictions to evaluate at RCPT TO:
        smtpd_rcpt_restriction_classes =
                ...,
                smptd_foo_restrictions

        # Nested classes
        smtpd_restriction_classes =
                ...,
                foo_whitelist

        # User customizable, default empty
        foo_whitelist =

        # Maintainer definition "foo" instance.
        smtpd_foo_restrictions =
                foo_whitelist,
                <whatever foo does by default>

Packages that want to add restrictions would then use their own
"foo" class.

-- 
        Viktor.

Reply via email to