Ian Armstrong wrote:
1. As I am only interested in checking outgoing mail at the moment,
shouldn't I also call the policy server under
"smtpd_sender_restrictions" in Postfix main.cf?
I think you are getting confused over how the whole mail system works.
smtpd_sender_restrictions do not relate to "sending" mail - they
relate to characteristics of the sender when receiving mail.
See http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
What PolicyD needs is to be called at appropriate points so that it
can consider the message being processed and return a suggestion as
to whether Postfix should reject it.
This process is identical whether sending or receiving mail - both
are more or less the same to Postfix. A client connects to the SMTP
Daemon and sends a message, this is queued by Postfix if it passes
all the rules configured, and then Postfix dequeues it and delivers
it as appropriate.
The appropriate hook for calling PolicyD is in smtpd_recipient_restrictions
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
This section is consulted every time the client sends a "rcpt to:
<address>" instruction - so at this point we know both the claimed
(it is insecure and can be faked) sender address, and the current
recipient address (this section can be repeated multiple times, once
per recipient).
Just this one hook will deal with many checks, but for accurate
accounting/quotas you need to also use the
smtpd_end_of_data_restrictions hook so that PolicyD can do stuff that
needs to know the message size.
The difference between "sending" and "receiving" mail is merely in
the source and destination of the message.
When "sending" :
The client is typically an end users mail user agent (MUA) and would
normally be required to use SASL authentication before being able to
send. The recipient would normally be remote, is Postfix will forward
the message to another mail server (mail transfer agent, MTA) for
delivery.
When "receiving" :
The client is normally a remote MTA. The recipient may be a local
mailbox, or the mail may be forwarded (have it's envelope header
address re-written and sent elsewhere by SMTP).
It's not hard to see that a 'local' user may send a message to
another local user - is this "sending" or "receiving" ? Or a remote
user may send a message that is simply forwarded elsewhere - so is
this both receiving and sending ?
How you differentiate between "send" and "receive" is how you setup
the rules/policies in PolicyD.
The easiest check is to see if the sender used SASL authentication -
and that's what you should apply accounting to. In my setup, I have a
policy for inbound mail which has the members "!$*,!%internal_ips".
Thus, if the SMTP client is not from an internal IP (ie my own
network) and didn't authenticate, then we class it as inbound mail.
For outbound mail I have "$*,!%hi-vol-sasl,!%My_Network" - that says,
if the user authenticated then it's outbound mail (ignore
"!%hi-vol-sasl,!%My_Network" for now, that allows me to bypass quotas
for internal machines and have a separate policy for specific SASL
user who need to send a higher volume of mail).
Finally, a quick note that PolicyD will only work on "outbound" mail
that comes in via SMTP. If the mail originates on the local machine,
then it may be injected into the mail queue by other means and this
is transparent to PolicyD.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
