On Thu, Feb 18, 2021 at 10:56:24AM -0500, Viktor Dukhovni wrote:
> > Let me modify the pseudocode to describe my goal in more detail:
> >
> > x = ldap_lookup_recipient_record(envelope_to_address)
> > if x.has_attribute(alpha)
> > reject_with_code_4xx(message=value_of_attribute(alpha))
> > else
> > relay_message(nexthop=value_of_attribute(beta))
>
> You should not be using the transport(5) table for SMTP access control,
> that's what access(5) is for. LDAP used in access(5) tables works just
> fine. And scales better because while there's only one queue-manager,
> there are many smtpd(8) processes, whose LDAP queries are concurrent,
> (typically via multiple instances of proxymap, which scales up on
> demand).
In fact you have two potential mechanisms for this:
main.cf:
# Filter out unauthorised access before recipient checks
#
smtpd_client_restrictions =
permit_mynetworks,
reject_unauth_destination
# ... RBL lookups ...
ldap = proxy:ldap:${config_directory}/
smtpd_recipient_restrictions =
check_recipient_access ${ldap}ldap-rcpt.cf
smtpd_relay_restrictions =
permit_mynetworks,
# permit_sasl_authenticated,
reject_unauth_destination
ldap-rcpt.cf:
server = ...
...
query_filter = mail=%s
result_attribute = reject_action
This assumes that the "reject_action" is a fully formed access(5) value
starting with "REJECT" or "450" or "550". You also start with a keyword
and use a regexp "pipemap" to map the keyword to an access action.
Bottom line, use the transport(5) table for routing, and access(5) for
access control.
--
Viktor.
