|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Noel Jones (njones
megan.vbhcs.org)
Date: Tue Jun 23 2009 - 20:02:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jon wrote:
> I have postfix on a debian Linux (lenny, ESXi virtual) machine handling
> inbound traffic for a couple domains on Microsoft Exchange 2003. I am
> using transport_maps and getadsmtp.pl for my recipient list which seem
> to work fine. The questions I have are related to
> smtpd_client_restrictions.
>
>
> smtp1:/etc/postfix# postconf -n | grep smtpd_client_restrictions
> smtpd_client_restrictions =
> check_client_access hash:/etc/postfix/access_hash,
> check_client_access regexp:/etc/postfix/access_regexp,
> reject_unknown_reverse_client_hostname,
> reject_unknown_client_hostname
>
> smtp1:/etc/postfix# cat access_hash
> .it REJECT 554 Access denied
Most installations include "smtpd_access_maps" in
parent_domain_matches_subdomains, so the correct entry would be
it REJECT comment
see the "HOST NAME/ADDRESS PATTERNS" section of
http://www.postfix.org/access.5.html and also
http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains
Note the "554" is redundant, so leave it out. It's OK to use
an "enhanced" status code such as 5.7.1. See RFC1893 for a
list of what the codes mean, don't just make up your own.
Your comment, "Access denied" is somewhat generic, and looks a
lot like the default response. Better to use something so YOU
can tell what rule rejected a particular message (priceless
when tracking a problem!!), or a comment explaining to the
client what they can do to fix the problem.
it REJECT 5.7.1 unwanted client TLD. send a postcard.
>
> smtp1:/etc/postfix# cat access_regexp
> /gaoland\.net/
No action/result in this table?
Anyway, a far better expression would be
/\.gaoland\.net$/ REJECT comment
You can also easily add your TLD block to the same table:
/\.it$/ REJECT 5.7.1 unwanted client TLD
>
>
> My questions:
> 1) Are two check_client_access statements as I have in
> smtp_client_restrictions legal?
Yes, use as many as you need. But tables lookups aren't free,
I expect your OS will run out of ${some critical resource}
after a ridiculous number of tables - probably hundreds or
thousands.
If you have postfix 2.6 or newer, for a blacklist I suggest
using check_reverse_client_hostname_access rather than
check_client_access, since it is more likely to find a client
name rather than "unknown".
http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access
And by the way, I think TLD client blocks are mostly a waste
of time. There's usually better ways to block unwanted mail.
-- Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]