|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: $mynetworks question
From: mouss (usebsd
free.fr)
Date: Fri Jan 06 2006 - 13:21:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Amin Astaneh a écrit :
> Hello-
>
> I have read the postfix-mysql documentation and I am very aware of how table lookups for $mynetworks work, using a key-arbitrary value combination. However, I was wondering if anyone on the list has ever seen an approach to something I wish to implement.
>
> I use DNS blacklisting for my SMTP servers and I wondering if it is possible to write a whitelist of IP addresses or domainnames for each mail domain or user that I serve which will be placed in a lookup table for mynetworks.
> For example- one of our customers recieves a lot of essential customer mail from the bellsouth ISP. Is it possible for postfix to allow these certain machines to connect when a specific 'rcpt to:' is declared, rather than to always allow them?
>
> Clearly postfix connects to the mysql database with the where_field corresponding to the domain name or the IP of the machine that is connecting. Is there any information that postfix can use in the lookups as well? Perhaps the 'rcpt to:'?
>
First of all, don't use mynetworks. This is used in other places by
postfix, not just for access control. Instead, use another table (see
below).
postfix access doesn't check two fields at a time. you can either change
your requirements or use a polciy service:
[postfix only]
Note: requirement change:
The following will allow (client, rcpt) if client is in my_customer_ips
and recipient is in some_recipients. This is not client dependent
(customer A can still send to recipient B).
smtpd_restriction_classes =
...
allow_some_clients
smtpd_recipient_restrictions =
...
check_recipient_access $type:$dir/some_recipients
...
allow_some_clients =
check_client_access $type:$dir/my_customer_ips
and then in some_recipients (or the quivalent in mysql) do:
fooexample.com allow_some_clients
barexample.org allow_some_clients
...
and in my_customer_ips (or the quivalent in mysql):
192.0.2.67 OK
[policy]
for more "control" (to enforce the (client, recipient) relationship),
you need a policy service. I don't know of any available one that
already does what you want, but you can patch one of the available ones
or write your own.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]