On Sat, 30 Apr 2022 01:11:05 -0400
Viktor Dukhovni wrote:
> On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote:
>
> > > .domain.tld
> > >
> > > Matches subdomains of domain.tld, but only when the
> > > string smtpd_access_maps is not listed in the Postfix
> > > parent_domain_matches_subdomai
On Sat, Apr 30, 2022 at 08:55:54PM +1000, raf wrote:
> Ah yes, and access(5) says .domain.tld only matches
> subdomains when smtpd_access_maps is not in
> parent_domain_matches_subdomains, but it is there by
> default, so ".domain.tld" wouldn't work at all. It
> needs to be "domain.tld".
I genera
On Sat, Apr 30, 2022 at 01:11:05AM -0400, Viktor Dukhovni
wrote:
> On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote:
>
> > > .domain.tld
> > >
> > > Matches subdomains of domain.tld, but only when the
> > > string smtpd_access_maps is not listed in the Postfix
> > > parent_domain_matches_sub
On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote:
> > .domain.tld
> >
> > Matches subdomains of domain.tld, but only when the
> > string smtpd_access_maps is not listed in the Postfix
> > parent_domain_matches_subdomains configuration setting.
>
> The .domain.tld notation only covers a single
On Fri, Apr 29, 2022 at 04:47:51PM -0700, "li...@lazygranch.com"
wrote:
> I'm trying to allow-list (formerly whitelist) a TLD. I have these lines
> in my postfix main.cf:
>
> check_client_access hash:/etc/postfix/client_checks,
> check_sender_access hash:/etc/postfix/sender_checks,
> chec
On 10 Jul 2018, at 22:24 (-0400), Philip wrote:
I'm curious to know what I've done wrong with my client checks file.
I can reject a specific IP but it won't reject when I use net
blocks... format is listed below in client_checks.cf
Suggestions comments welcome.
Pick a table format and use
Philip skrev den 2018-07-11 04:24:
check_client_access hash:/etc/postfix/client_checks.cf,
change hash here to cidr
5.0.0.0/8 REJECT We have not seen your IP Address before. Please
visit https://example.com?newip=5.0.0.0/8 to unblock your IP
and remember cidr does not need to be postmappe
> On Sep 12, 2016, at 12:54 AM, Jeremy wrote:
>
> Sep 12 15:36:58 mailsrv postfix/smtpd[30413]: connect from
> unknown[210.246.XX.XX]
> ***
> Sep 12 15:37:32 mailsrv postfix/smtpd[30413]: NOQUEUE: reject: RCPT from
> unknown[210.246.XX.XX]: 554 5.7.1 Service unavailable;
> **
list...@tutanota.com:
> 23. May 2016 18:48 by njo...@megan.vbhcs.org:
>
> > Yes, exactly right idea, but your expressions could use some improvement
>
> Thanks it helped!
>
> >IF /^(To|From|Cc|Reply-To): /
Why not:
/^(To|From|Cc|Reply-To): *(addr1|addr2|addr3)/
> Is the space between ": /
23. May 2016 18:48 by njo...@megan.vbhcs.org:
> Yes, exactly right idea, but your expressions could use some improvement
Thanks it helped!
>IF /^(To|From|Cc|Reply-To): /
Is the space between ": /" always needed? I think yes.
On 5/23/2016 5:55 PM, list...@tutanota.com wrote:
> I noticed this email today about IF ... ENDIF.
>
> I didnt know about it yet so I have been reading and looking at
> examples.
>
> I can understand some but not all yet. The examples with matching
> on just an IP or CIDR are easy to see.
>
> B
I noticed this email today about IF ... ENDIF.
I didnt know about it yet so I have been reading and looking at examples.
I can understand some but not all yet. The examples with matching on just an
IP or CIDR are easy to see.
But can IF ... ENDIF in Postfix be used to make this .pcre simplifie
Viktor Dukhovni:
> On Fri, May 20, 2016 at 03:24:26PM -0400, Wietse Venema wrote:
>
> > I can do a little better than thats, and also give a number for the
> > per-query overhead. With this i5-650 CPU @3.2GHZ, it takes 0.92
> > seconds to parse 1 million IPv4 patterns, and less than about 0.01
> >
On Fri, May 20, 2016 at 03:24:26PM -0400, Wietse Venema wrote:
> I can do a little better than thats, and also give a number for the
> per-query overhead. With this i5-650 CPU @3.2GHZ, it takes 0.92
> seconds to parse 1 million IPv4 patterns, and less than about 0.01
> second to search through tho
Wietse Venema:
> To measure [cidr map] initialization overhead, look at the difference between
>
> $ time postmap -q /dev/null static:foo
> $ time postmap -q /dev/null pcre:yourfile
>
> You will probably have to run this several times to get a meaningful
> result.
The /dev/null can be an
> On May 20, 2016, at 1:42 PM, Noel Jones wrote:
>
> The cidr: map is quite efficient.
>
> IIRC the last time someone performance tested the cidr: map type,
> performance stayed high even with 10's of thousands of entries. (or
> was it 100's of thousands?? whatever... it was a lot)
>
> You're
Brandon Applegate:
> In any case - I've been wondering about the potential performance
> impact related to the size of the cidr_client_checks file. I
> currently have ~ 600 networks listed there. I haven't noticed
> anything yet - but would like to know if there's a size where I
> should worry.
On 5/20/2016 11:20 AM, Brandon Applegate wrote:
> Hello all,
>
> In my cascade of smtpd restrictions, along with RBL, rDNS etc - I have:
>
> check_client_access cidr:/etc/postfix/cidr_client_checks
>
> I mainly (manually) throw egregious offenders in there that haven’t been
> added to one of th
User Nexus:
> I've found the answer on my questions in the official Postfix
> documentation. Feel free to skip answering on this email.
> Thanks again.
There still is hope for humanity.
Wietse
User Nexus:
> My question now, is it correct to use 'check_sender_access' in
> 'smtpd_client_restrictions'
> section?
smtpd_client_restrictions (default: empty)
...
Other restrictions that are valid in this context:
o SMTP command specific restrictions that are describ
2015-07-26 10:19 GMT+03:00 User Nexus :
> 2015-07-25 17:51 GMT+03:00 Wietse Venema :
>
>> > Hello Guys,
>> >
>> > I'm trying to set up some restrictions in 'smtpd_client_restrictions'
>> > Postfix config block. You can see my 'smtpd_client_restrictions' block
>> > bellow:
>> >
>> > smtpd_client_re
2015-07-25 17:51 GMT+03:00 Wietse Venema :
> ?:
> > Hello Guys,
> >
> > I'm trying to set up some restrictions in 'smtpd_client_restrictions'
> > Postfix config block. You can see my 'smtpd_client_restrictions' block
> > bellow:
> >
> > smtpd_client_restrictions =
> >
?:
> Hello Guys,
>
> I'm trying to set up some restrictions in 'smtpd_client_restrictions'
> Postfix config block. You can see my 'smtpd_client_restrictions' block
> bellow:
>
> smtpd_client_restrictions =
> permit_mynetworks,
> che
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am 04.05.2014 23:16, schrieb Wietse Venema:
@Victor/Wietse:
> Thus, if you want impersonation use XCLIENT. If you want to have
> more useful logging from a post-filter MTA. use XFORWARD.
Thanks to you both for your explanations. I never realized th
Peer Heinlein:
> as shown in the log we have a Postfix 2.9.4 with a localhost-connect
> from Amavis on Port 10025 that uses the xforward-command to give us
> the source IP address from the real client:
>
> But in the smtpd_recipient_restrictions Postfix makes lookups just for
> the localhost sourc
On Sun, May 04, 2014 at 10:20:23PM +0200, Peer Heinlein wrote:
> as shown in the log we have a Postfix 2.9.4 with a localhost-connect
> from Amavis on Port 10025 that uses the xforward-command to give us
> the source IP address from the real client:
XFORWARD is for logging only. Only XCLIENT cha
On 4/15/14, 3:33 PM, Noel Jones wrote:
On 4/15/2014 3:25 PM, List wrote:
On 4/15/14, 3:12 PM, Noel Jones wrote:
On 4/15/2014 3:02 PM, List wrote:
On 4/15/14, 2:50 PM, Noel Jones wrote:
On 4/15/2014 2:27 PM, List wrote:
I am running postfix 2.6.6 and trying to setup check_client_access
using
On 4/15/2014 3:25 PM, List wrote:
> On 4/15/14, 3:12 PM, Noel Jones wrote:
>> On 4/15/2014 3:02 PM, List wrote:
>>> On 4/15/14, 2:50 PM, Noel Jones wrote:
On 4/15/2014 2:27 PM, List wrote:
> I am running postfix 2.6.6 and trying to setup check_client_access
> using a mysql lookup under
On 4/15/14, 3:12 PM, Noel Jones wrote:
On 4/15/2014 3:02 PM, List wrote:
On 4/15/14, 2:50 PM, Noel Jones wrote:
On 4/15/2014 2:27 PM, List wrote:
I am running postfix 2.6.6 and trying to setup check_client_access
using a mysql lookup under the smtpd_client_restrictions, which does
not appear t
On 4/15/2014 3:02 PM, List wrote:
> On 4/15/14, 2:50 PM, Noel Jones wrote:
>> On 4/15/2014 2:27 PM, List wrote:
>>> I am running postfix 2.6.6 and trying to setup check_client_access
>>> using a mysql lookup under the smtpd_client_restrictions, which does
>>> not appear to be rejecting clients when
On 4/15/14, 2:50 PM, Noel Jones wrote:
On 4/15/2014 2:27 PM, List wrote:
I am running postfix 2.6.6 and trying to setup check_client_access
using a mysql lookup under the smtpd_client_restrictions, which does
not appear to be rejecting clients when the query returns "REJECT"
(which has been conf
On 4/15/2014 2:27 PM, List wrote:
> I am running postfix 2.6.6 and trying to setup check_client_access
> using a mysql lookup under the smtpd_client_restrictions, which does
> not appear to be rejecting clients when the query returns "REJECT"
> (which has been confirmed to return "REJECT" using pos
On 3/12/2013 5:21 PM, Alex wrote:
> Hi,
>
> This is normal operation for a general-purpose mail server. Mail to
> local users can be received from anywhere (subject to spam
> controls). Only authorized users can relay to a third-party
> destinations.
>
> This is a typical
Hi,
This is normal operation for a general-purpose mail server. Mail to
local users can be received from anywhere (subject to spam
controls). Only authorized users can relay to a third-party
destinations.
This is a typical setup for an internet-facing mail server.
>
Hi,
>>> This is normal operation for a general-purpose mail server. Mail to
>>> local users can be received from anywhere (subject to spam
>>> controls). Only authorized users can relay to a third-party
>>> destinations.
>>>
>>> This is a typical setup for an internet-facing mail server.
>>
>> I
On 3/12/2013 1:57 PM, Noel Jones wrote:
> On 3/12/2013 1:35 PM, Alex wrote:
>> Hi,
>>
I have a really old system with an early version of postfix on it, but
I'm not sure the version really matters for my problem. I'm attempting
to use a pop-before-smtp hash as a way of providing auth
On 3/12/2013 1:35 PM, Alex wrote:
> Hi,
>
>>> I have a really old system with an early version of postfix on it, but
>>> I'm not sure the version really matters for my problem. I'm attempting
>>> to use a pop-before-smtp hash as a way of providing authentication
>>> prior to being able to use the
Hi,
>> I have a really old system with an early version of postfix on it, but
>> I'm not sure the version really matters for my problem. I'm attempting
>> to use a pop-before-smtp hash as a way of providing authentication
>> prior to being able to use the server to send mail. However, it
>> doesn'
On 3/11/2013 11:17 PM, Alex wrote:
> Hi,
>
> I have a really old system with an early version of postfix on it, but
> I'm not sure the version really matters for my problem. I'm attempting
> to use a pop-before-smtp hash as a way of providing authentication
> prior to being able to use the server
On 07/22/2012 03:12 PM, Wietse Venema wrote:
Tolga:
Hi,
I have put line in my main.cf
check_client_access = cidr:/etc/postfix/sinokorea.cidr
In Postfix 2.9, this will result in a warning:
postconf: warning: /etc/postfix/main.cf: unused parameter:
check_client_access=cidr:/etc/postfix/sino
Tolga:
> Hi,
>
> I have put line in my main.cf
>
> check_client_access = cidr:/etc/postfix/sinokorea.cidr
In Postfix 2.9, this will result in a warning:
postconf: warning: /etc/postfix/main.cf: unused parameter:
check_client_access=cidr:/etc/postfix/sinokorea.cidr
And indeed check_client_acce
Sorry, Noel,
Now that I re-read your last post, I can see there is no discrepancy at
all between my findings and your description in the two cases I mentioned.
In fact, what happens is exactly what you describe. The email message is
rejected because the client specifies a MAIL FROM listed in
(I'm sending again, because by mistake the message I sent before was in
html form.)
Thanks Noel, for the detailed info.
In the meantime, I had already tested, and here are the test results,
for reference (tested by removing ownership of f...@example.com by foo
and logging in (in scenario II)
Thanks Noel,
for the detailed info.
In the meantime, I had already tested, and here are the test
results, for reference (tested by removing ownership of f...@example.com
by foo and logging in (in scenario II) as user foo):
I. 1 --->a (mes
On 2/11/2011 6:08 AM, Nikolaos Milas wrote:
Thank you Harald,
Please, let me ask for some clarifications, cause I'm confused:
If we have (SASL) UNauthenticated clients (who are allowed to
send emails from mynetworks) AND (SASL) authenticated clients
(in mynetworks or anywhere), what will happen
Thank you Harald,
Please, let me ask for some clarifications, cause I'm confused:
If we have (SASL) UNauthenticated clients (who are allowed to send
emails from mynetworks) AND (SASL) authenticated clients (in mynetworks
or anywhere), what will happen to our UNauthenticated clients (in
mynetw
Am 11.02.2011 10:08, schrieb Nikolaos Milas:
> Thank you Noel,
>
> After searching for a while, I found your info/solutions were complete and
> accurate.
>
> Locking sender addresses with authenticated users appears to be a good
> practice, anyway.
>
> Here, I have two questions about reject
Thank you Noel,
After searching for a while, I found your info/solutions were complete
and accurate.
Locking sender addresses with authenticated users appears to be a good
practice, anyway.
Here, I have two questions about reject_sender_login_mismatch:
1. If sender is in the form "f...@e
* Nikolaos Milas :
> Thanks Ralf,
>
> That means that the following format should be OK?
>
>ma...@example.com user1,user2,user3
>ma...@example.com user1,user2
>ma...@example.com user1,user3
>
> This is still a M-to-M mapping (many mail addresses are mapped to
> many SA
Thanks Ralf,
That means that the following format should be OK?
ma...@example.com user1,user2,user3
ma...@example.com user1,user2
ma...@example.com user1,user3
This is still a M-to-M mapping (many mail addresses are mapped to many
SASL login usernames), it's just format
* Nikolaos Milas :
> Thanks Jeroen,
>
> I checked the documentation and I think smtpd_sender_login_maps might
> do the trick.
>
> Does anyone know if a many-to-many (M-to-M) mapping is allowed in
> these maps? That is, the following example is valid (a hash file)?
No
>ma...@example.com
Thanks Jeroen,
I checked the documentation and I think smtpd_sender_login_maps might do
the trick.
Does anyone know if a many-to-many (M-to-M) mapping is allowed in these
maps? That is, the following example is valid (a hash file)?
ma...@example.com user1
ma...@example.com u
On 2/7/2011 4:57 PM, Nikolaos Milas wrote:
I have parenthetically asked in another - solved - thread if
postfix offers the ability to control access to specific mail
addresses using as a key the authenticated usernames (and got
no reply).
So, I am posting this as a new thread, hoping that someon
On 02/07/2011 11:57 PM, Nikolaos Milas wrote:
I have parenthetically asked in another - solved - thread if postfix
offers the ability to control access to specific mail addresses using
as a key the authenticated usernames (and got no reply).
So, I am posting this as a new thread, hoping that s
Mouss,
> How do I have to modify it so that I could block an email address
> either
> if is the sender or one of the recipients, AND either if the message
> is
> incoming or outgoing?
>
> Maybe so (assuming that the action will never be "OK")...
>
> smtpd_client
Rocco Scappatura a écrit :
>
> Sorry,
>
How do I have to modify it so that I could block an email address
either
if is the sender or one of the recipients, AND either if the message is
incoming or outgoing?
Maybe so (assuming that the action will never be "OK")...
>>
Sorry,
>>> How do I have to modify it so that I could block an email address
>>> either
>>> if is the sender or one of the recipients, AND either if the message is
>>> incoming or outgoing?
>>>
>>> Maybe so (assuming that the action will never be "OK")...
>>>
>>> smtpd_client_restrictions =
>>>
>> How do I have to modify it so that I could block an email address either
>> if is the sender or one of the recipients, AND either if the message is
>> incoming or outgoing?
>>
>> Maybe so (assuming that the action will never be "OK")...
>>
>> smtpd_client_restrictions =
>> check_client_acces
Rocco Scappatura a écrit :
>
>
> Mouss,
>
and your explanation was about a "receiver". That's 3 different
things...
>>> So.. What I have to do to block a message based on the receiver?
>>>
>> check_recipient_access.
>>
PS. it would be safer to put your check_sender_access in
Mouss,
>>> and your explanation was about a "receiver". That's 3 different
>>> things...
>>
>> So.. What I have to do to block a message based on the receiver?
>>
>
> check_recipient_access.
>
>>> PS. it would be safer to put your check_sender_access in
>>> smtpd_sender_restrictions so that an
Rocco Scappatura a écrit :
> Mouss,
>
>>> [snip]
>>>
>>> :-D
>>>
>>> [snip]
>> dogs ate logs?
>>
>
> Very cool from you.. as usual!
>
> You have won a prize.. :-) <-- Is it ok so? ;-)
>
depends on what the prize is :)
>> - show logs that prove what you claimed
>
> Feb 1 06:02:50 av5 postf
Mouss,
>> [snip]
>>
>> :-D
>>
>> [snip]
>
> dogs ate logs?
>
Very cool from you.. as usual!
You have won a prize.. :-) <-- Is it ok so? ;-)
> - show logs that prove what you claimed
Feb 1 06:02:50 av5 postfix/smtpd[32172]: NOQUEUE: reject: RCPT from
unknown[83.103.67.197]: 550 5.1.1 to= p
Rocco Scappatura a écrit :
> [snip]
>
> :-D
>
> [snip]
dogs ate logs?
- show logs that prove what you claimed
- show 'postmap -q' results (for all the keys that postfix uses. see the
man page of access for the lookup order).
you also need to make your mind: the subject contains
"check_client
Thanks,
>> In smtpd_recipient_restrictions I put as first line:
>>
>> check_sender_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>
>> The check looks up the database for an address or a domain ad returns an
>> action (OK, REJECT, and so on).
>
> This sounds bad; you should
On Sat, 31 Jan 2009, Rocco Scappatura wrote:
> In smtpd_recipient_restrictions I put as first line:
>
> check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>
> The check looks up the database for an address or a domain ad returns an
> action (OK, REJECT, and so on).
Th
Policyd seems to have interesting features and it uses MySQL. I'll try
it here. Thank you.
I'm a Sys admin working here with FreeBSD, but I'm a Java developer
too, so after I was noticed that postfix checks use a single variable
(client, helo, sender, recipient), that I would not be able to do wha
Wietse Venema wrote:
If you want to control access with MySQL, try http://www.policy.org/
I think Wietse meant http://www.policyd.org/
Joe
On Wed, July 30, 2008 16:33, Wietse Venema wrote:
> If you want to control access with MySQL, try http://www.policy.org/
>
> Wietse
I believe Wietse meant http://www.policyd.org/
--
Regards,
Jon
If you want to control access with MySQL, try http://www.policy.org/
Wietse
On Wed, Jul 30, 2008 at 4:23 PM, mouss <[EMAIL PROTECTED]> wrote:
>
> write a policy server (or use one that implements this). postfix checks use
> a single variable (client, helo, sender, recipient). you can't mix things.
I'll try this way.
>
> anyway, if you find yourself whitelisting many c
Thiago Esteves wrote:
Hello List,
I'm using here the main.cf parameter "reject_unknown_client", that you know,
it just blocks any client machine
that doesn't have the properly records in the DNS. Sometimes I have to add
an exception, so I have a whitelist
where I add the client IP address and th
71 matches
Mail list logo
