Viktor
On Mon, Mar 28, 2016, at 08:03 PM, Viktor Dukhovni wrote:
> Sorry, that's:
>
> http://www.postfix.org/postconf.5.html#check_client_ns_access
Ugh. I should have just searched for 'ns_access'. Thanks.
I'm not 100% sure why it's a "client" rule instead of a "sender" rule. Looking
at examples, theses sets of checks end up in different mumble restriction. Is
it because client is earliest in order?
> And yes, the restriction class needs to be exactly the same when
> defined as when it is used. Go with "_" throughout.
Ok, I've got it sorted and seems to be working!
As a last step, I'd like to understand how to eventually grow this correctly.
If I wanted to add ns-related blocks that
(1) block all messages from any/all domains NS-hosted on "example1.com" or
".example1.com"
and
(2) block all messages from domains NS-hosted on "example2.com" and MTA
RDNS matching, '^this-mta' (similar to what's already in there for synapp.io),
would this be the best approach?
main.cf
...
smtpd_restriction_classes = no_ns_match
no_ns_match =
reject_unknown_client,
check_client_access pcre:${config_directory}/ns_reject.pcre
smtpd_client_restrictions =
permit_mynetworks
reject_unauth_pipelining
check_client_ns_access pcre:${config_directory}/ns_access.pcre
...
cat ns_reject.pcre
/^mta-wk-\d/ REJECT 554
/^this-mta/ REJECT 554
cat ns_access.pcre
/\.synapp\.io$/ no_ns_match
/\.example1\.com$/ REJECT 554
/\.example2\.com$/ no_ns_match
My specific concerns with that^ are
(1) it could incorrectly match/reject on 'this-mta.somedomain.com' hosted
on example1.com, not just example2.com, as intended
(2) I'm not 100% sure I can mix "no_ns_match" & "REJECT 554" actions in the
same file, 'ns_access.pcre'.
Again this example was really helpful -- not just in solving this specific
problem but giving an idea of how to add & layer restrictions, and how they
'flow'.
Thanks.
Jason
