NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-07

Re: overriding transport_maps in master.cf

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Tue Jul 01 2003 - 18:05:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 05:28 PM 7/1/03 -0500, Nick Russo wrote:
>Ok, I see now that transport_maps are no good if I only have one
>Postfix instance. I've nothing against using access maps instead,
>so let's see if I have the right idea now.
>
>
>main.cf:
># This is for pop-before-smtp:
>
>smtpd_recipient_restrictions = permit_mynetworks,
> warn_if_reject reject_non_fqdn_recipient,
> warn_if_reject check_client_access dbm:/etc/postfix/pop-before-smtp,
> warn_if_reject check_relay_domains,
> reject

Hmmm,

warn_if_reject check_client_access dbm:/etc/postfix/pop-before-smtp
Pop-before-smtp normally returns either OK or nothing, and does not return
a REJECT. I'm not sure if using warn_if_reject will be useful here, or if
it will do what you intend.
The check_relay_domains command is deprecated. You should use
reject_unauth_destination instead.
Using warn_if_reject before check_relay_domains (or before
reject_unauth_destination) makes no sense, and may not do what you intend.

This is better:
smtpd_recipient_restrictions =
# check_recipient_access hash:/etc/postfix/access
   permit_mynetworks
   check_client_access dbm:/etc/postfix/pop-before-smtp
   warn_if_reject reject_non_fqdn_recipient,
   reject_unauth_destination

># I should add this to the beginning of the list:
># check_recipient_access hash:/etc/postfix/access
>
>
>access:
>narussocs.uchicago.edu FILTER smtp-amavis:[128.135.11.66]:10024

OK, 28.135.11.66 is your separate content-filtering box, listening on port
10024

>master.cf:
>10025 inet n - n - - smtpd
> -o local_recipient_maps=
> -o smtpd_helo_restrictions=
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8,128.135.11.66
> -o myhostname=private.cs.uchicago.edu
>smtp-amavis unix - - n - 2 smtp
> -o smtp_data_done_timeout=1200
> -o disable_dns_lookups=yes
> -o fallback_relay=localhost:10025
>
>
>When the message comes back to port 10025, a different set of recipient
>restrictions will be imposed (this is what I couldn't achieve with
>transport_maps). Is 'permit_mynetworks,reject' a reasonable choice there?
>Is anything else wrong in my configuration as listed above?

This part looks OK.

An important note here is that the FILTER action in access tables applies
per-message, not per-recipient. If any recipient of a multi-recipient
message matches, the FILTER action will be applied to all recipients of
that message.

--
Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]