Re: [policyd-users] Quotas & AccessControl

[Vojtech Splichal]

Belloni, Davide <belloni.d@...> writes:

> 
> Hi,I'm trying to limit email in postfix with policyd using AccessControl
and Quotas modules.
> 
> The logic that I want to implement is the following:
>  - postfix smtpd_recipient_restrictions checks first with policyd
(check_policy_service) and after reject
> 
> 
> 
> 
> 
> 
> 
>  - postfix smtpd_end_of_data_restrictions checks only with policyd
(check_policy_service)
> 
>  - policyd has access control for permitted sender/recipient and relative
policies with verdict "OK" (used in smtpd_recipient_restrictions)
>  - policyd has quotas limits on sender or ip and relative policies with
verdict "reject" (used in smtpd_end_of_data_restrictions)
> 
> This doesn't work for the following reasons:
>  - AccessControl has module priority of 90 
>  - Quotas has module priority of 50
>  - AccessControl in RCPT protocol_state returns PROTO_OK with response
'OK' and CBP_STOP (so Quotas never inserts the tracking information)
> 
> 
> I've seen some bugs about Quotas module related with perl 5.10 (that i
have installed on CentOS6), but simply applying the following patch I obtain
what I want:
> 
> 
> --- /usr/local/lib/cbpolicyd-2.1/cbp/modules/Quotas.pm        2015-08-07
14:20:00.000000000 +0200
> +++ /usr/local/lib/cbpolicyd-2.1/cbp/modules/Quotas.pm        2015-08-07
14:19:53.000000000 +0200
>  <at>  <at>  -32,7 +32,7  <at>  <at> 
>  # User plugin info
>  our $pluginInfo = {
>       name                    => "Quotas Plugin",
> -     priority                => 50,
> +     priority                => 95,
>       init                    => \&init,
>       request_process => \&check,
>       cleanup                 => \&cleanup,
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Can I've introduced some bugs or malfunctions with the patch above?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Are there better methods to achieve what I want?
> 
> Thanks,
> 
> Best regards
> -- 
> Davide BelloniR&D Dept.MaxMaraFashionGroupVia G. Maramotti, 4 - 42124
Reggio Emilia (RE) Rispetta l'ambiente, stampa questa mail solo se
necessario.Il contenuto della presente comunicazione è riservato e destinato
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da
persona diversa dal destinatario sono proibite la diffusione, la
distribuzione e la copia. Nel caso riceveste la presente per errore, Vi
preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro
computer, senza utilizzare i dati contenuti. La presente comunicazione
(comprensiva dei documenti allegati) non avrà valore di proposta
contrattuale e/o accettazione di proposte provenienti dal destinatario, nè
rinuncia o riconoscimento di diritti, debiti e/o crediti, nè sarà
impegnativa, qualora non sia sottoscritto successivo accordo da chi può
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle
parti.The content of the above communication is strictly confidential and
reserved solely for the referred addressees. In the event of receipt by
persons different from the addressee, copying, alteration and distribution
are forbidden. If received by mistake we ask you to inform us and to destroy
and/or delete from your computer without using the data herein contained.
The present message (eventual annexes inclusive) shall not be considered a
contractual proposal and/or acceptance of offer from the addressee, nor
waiver recognizance of rights, debts  and/or credits, nor shall it be
binding when not executed as a subsequent agreement by persons who could
lawfully represent us. No pre-contractual liability shall apply to us when
the present communication is not followed by any binding agreement between
the parties.
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users@...
> http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
> 

Hi,

try to change AccessControl module following way:

                        } elsif ($row->{'Verdict'} =~ /^ok$/i) {
                                $server->maillog("module=AccessControl,
action=ok, host=%s, helo=%s, from=%s, to=%s, reason=verdict",
                                                $sessionData->{'ClientAddress'},
                                                $sessionData->{'Helo'},
                                                $sessionData->{'Sender'},
                                                $sessionData->{'Recipient'});
                                #comment out line where is PROTO_OK
#return $server->protocol_response(PROTO_OK,$row->{'Data'});
#let's go to next module - CheckHello - thru SPF - to Quotas.
                                return CBP_CONTINUE;

I have an idea - create new verdict in access control module, somethink like
PASS. This solution is let's say hardcoded :D

Regards Vojtech Splichal
_______________________________________________
Users mailing list
Users@lists.policyd.org
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org