|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rocco Scappatura (Rocco.Scappatura
infracom.it)
Date: Sun Feb 01 2009 - 10:25:47 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> How do I have to modify it so that I could block an email address either
>> if is the sender or one of the recipients, AND either if the message is
>> incoming or outgoing?
>>
>> Maybe so (assuming that the action will never be "OK")...
>>
>> smtpd_client_restrictions =
>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>
>> smtpd_helo_restrictions =
>> smtpd_sender_restrictions =
>> check_sender_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>
>> smtpd_recipient_restrictions =
>> check_recipient_access
>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
> this one is already in smtpd_sender_restrictions, so just remove it
>
I can't remove it because this lookup return "reject_unverified_address"
for the domains that I maintain but for wich I have no a list of valid
recipient:
query = select restriction from domain where domain='%s'
maybe could I put both lookups in smtpd_sender_restrictions?
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
is it ok?
>> check_client_access
>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>
> what's this for? it's already in smtpd_client_restrictions, so you may
> or may not need it here.
It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
trhough my SMTP gateway). I need it.
>
>> permit_mynetworks
>> permit_sasl_authenticated
>> check_policy_service inet:127.0.0.1:54000
>
> what's this for? you probably want to put this after
> reject_unauth_destination.
postgrey
>
> remember: reject_unauth_destination is what prevents open relay. so
> avoid putting a lot of stuff before it, because you increase the risks.
>
> and reject_unauth_destination is a very safe a very cheap check, so it's
> good to have it as soon as possible.
>
>> reject_unauth_destination
>> .
>> .
>> .
>>
>> Or you have another configuration to propose the is safer?
>>
>
> see above.
>
> as a general "rule of thumb", put anti-spam checks (I'm talking about
> inbound spam. outbound spam is a different subject) after
> reject_unauth_destination, and put "general restrictions" (that also
> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
thanks,
rocsca
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]