From: mouss (moussml.netoyen.net)
Date: Sun Feb 01 2009 - 09:24:20 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rocco Scappatura a écrit :
>
>
> Mouss,
>
>>>> and your explanation was about a "receiver". That's 3 different
>>>> things...
>>> So.. What I have to do to block a message based on the receiver?
>>>
>> check_recipient_access.
>>
>>>> PS. it would be safer to put your check_sender_access in
>>>> smtpd_sender_restrictions so that an error in your sql query doesn't
>>>> make you an open relay.
>>> Why is safer? Could have any side effect in my configuration? Thanks.
>>>
>> it's ok if you don't return "OK" in your map (Annie, are you OK?). but
>> one day, you'll be tired and you'll add an entry to your map...
>>
>> this is why it is generally safer to put check_*_access after
>> reject_unauth_destination in smtpd_recipient_restrictions, or to put
>> them in other restrictions (latter if you want them to apply to both
>> inbound and outbound mail).
>
> This is the restictions in my main.cf file:
>
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
>
> smtpd_recipient_restrictions =
> check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
> check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service inet:127.0.0.1:54000
> reject_unauth_destination
> .
> .
> .
>
> How do I have to modify it so that I could block an email address either
> if is the sender or one of the recipients, AND either if the message is
> incoming or outgoing?
>
> Maybe so (assuming that the action will never be "OK")...
>
> smtpd_client_restrictions =
> check_client_access
> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>
> smtpd_helo_restrictions =
> smtpd_sender_restrictions =
> check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>
> smtpd_recipient_restrictions =
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf

this one is already in smtpd_sender_restrictions, so just remove it

> check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf

what's this for? it's already in smtpd_client_restrictions, so you may
or may not need it here.

> permit_mynetworks
> permit_sasl_authenticated
> check_policy_service inet:127.0.0.1:54000

what's this for? you probably want to put this after
reject_unauth_destination.

remember: reject_unauth_destination is what prevents open relay. so
avoid putting a lot of stuff before it, because you increase the risks.

and reject_unauth_destination is a very safe a very cheap check, so it's
 good to have it as soon as possible.

> reject_unauth_destination
> .
> .
> .
>
> Or you have another configuration to propose the is safer?
>

see above.

as a general "rule of thumb", put anti-spam checks (I'm talking about
inbound spam. outbound spam is a different subject) after
reject_unauth_destination, and put "general restrictions" (that also
apply to your users) in one of smtpd_(client|helo|sender)_restrictions.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]