|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joshua Baer (yahoo
joshuabaer.com)
Date: Sun Jul 15 2007 - 14:50:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That makes sense. Sounds like check_client_access isn't the right
thing for my application.
I'm trying to match on the envelope recipients... I want anything
sent TO *.mydomain.com to be accepted. I can do that by listing out
each subdomain in the mydestinations variable, but I'm trying to
avoid that because I expect to have a very large list of subdomains
that changes frequently - I'd like to just tell it to accept mail for
any subdomain in one statement if possible.
~Josh
On Jul 15, 2007, at 2:40 PM, MrC wrote:
> Joshua Baer wrote:
>> Thanks so much for your reply! I am not using postmap to test, I'm
>> just sending it real emails.
>> I tried the latter
>> .mydomain.com OK
>> and then tested it by running postmap, restarting postfix, and
>> then sending email to testsubdomain.mydomain.com
>> <mailto:testsubdomain.mydomain.com> to see if it would be
>> delivered. The mail is accepted and doesn't bounce, but its not
>> placed into any mailbox files in /var/mail
>
> check_client_access matches against the connecting domain or IP,
> not against envelope recipients or To: headers.
>
> Remember also that your configuration probably short circuits
> additional tests because your systems are in mydestination or
> mynetworks.
>
> A debugging technique I like is to specifically restrict one host
> IP from mynetworks, and then I can use that host to act as an
> outside system.
>
> Its easier to test a check_sender_access access map because you can
> control that in the SMTP dialog. List the domain you want to match:
>
> check_sender_access hash:sender_checks
> example.com REJECT No mail allowed from example.com or subdomains
>
> and perform the following:
>
> $ telnet yourmailhost 25
> EHLO somedomain.com
> ...
> MAIL FROM:<usersub.example.com>
> 250 2.1.0 Ok
> RCPT TO:<youyourdomain.com>
> 250 2.1.0 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> testing.
> .
> QUIT
>
> You should see log entires such as :
>
> Jul 15 11:53:57 mailhost postfix/smtpd[24251]: NOQUEUE: reject:
> RCPT from example.com[192.168.0.1]: 554 5.7.1
> <bogussub.example.com>: Sender address rejected: TESTING;
> from=<bogussub.example.com> to=<memydomain.com> proto=ESMTP
> helo=<example.com>
>
> MrC
>
>
>> Any other ideas?
>> ~Josh
>> On Jul 15, 2007, at 2:01 PM, MrC wrote:
>>>>> You don't need to create catchalls for each subdomain. Read
>>>>> the description under EMAIL ADDRESS PATTERNS in:
>>>>>
>>>>>
>>>>> http://www.postfix.org/access.5.html
>>>>>
>>>>>
>>>> I've looked this over but am having trouble getting it to work.
>>>> I put this line in main.cf (tried both above and below the
>>>> mydestination setting).
>>>>
>>>> smtpd_client_restrictions =
>>>>
>>>> check_client_access hash:/private/etc/postfix/access
>>>>
>>>> Then I added this one line to the top of the otherwise empty
>>>> access file:
>>>>
>>>> .mydomain.com OK
>>>>
>>>> Finally, I ran postmap /private/etc/postfix/access
>>>>
>>>
>>> I presume you are using postmap to test?
>>>
>>>
>>> Postmap does not completely duplicate the running postfix
>>> environment. It will not match subdomains in your postmap -q
>>> access queries, but postfix will match during the SMTP dialog.
>>>
>>>
>>> If you have the default parent_domain_matches_subdomains which
>>> includes smtpd_access_maps, then all you need in your access map is:
>>>
>>>
>>> mydomain.com OK
>>>
>>>
>>> To protect yourself in the future if/when
>>> parent_domain_matches_subdomains takes on more restrictive
>>> settings, adding the specific :
>>>
>>>
>>> .mydomain.com OK
>>>
>>>
>>> is probably wise.
>>>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]