Rocco Scappatura a écrit : > > > Mouss, > >>>> and your explanation was about a "receiver". That's 3 different >>>> things... >>> So.. What I have to do to block a message based on the receiver? >>> >> check_recipient_access. >> >>>> PS. it would be safer to put your check_sender_access in >>>> smtpd_sender_restrictions so that an error in your sql query doesn't >>>> make you an open relay. >>> Why is safer? Could have any side effect in my configuration? Thanks. >>> >> it's ok if you don't return "OK" in your map (Annie, are you OK?). but >> one day, you'll be tired and you'll add an entry to your map... >> >> this is why it is generally safer to put check_*_access after >> reject_unauth_destination in smtpd_recipient_restrictions, or to put >> them in other restrictions (latter if you want them to apply to both >> inbound and outbound mail). > > This is the restictions in my main.cf file: > > smtpd_client_restrictions = > check_client_access > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf > > smtpd_helo_restrictions = > smtpd_sender_restrictions = > > smtpd_recipient_restrictions = > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf > permit_mynetworks > permit_sasl_authenticated > check_policy_service inet:127.0.0.1:54000 > reject_unauth_destination > . > . > . > > How do I have to modify it so that I could block an email address either > if is the sender or one of the recipients, AND either if the message is > incoming or outgoing? > > Maybe so (assuming that the action will never be "OK")... > > smtpd_client_restrictions = > check_client_access > proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf > > smtpd_helo_restrictions = > smtpd_sender_restrictions = > check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf > > smtpd_recipient_restrictions = > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
this one is already in smtpd_sender_restrictions, so just remove it > check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf what's this for? it's already in smtpd_client_restrictions, so you may or may not need it here. > permit_mynetworks > permit_sasl_authenticated > check_policy_service inet:127.0.0.1:54000 what's this for? you probably want to put this after reject_unauth_destination. remember: reject_unauth_destination is what prevents open relay. so avoid putting a lot of stuff before it, because you increase the risks. and reject_unauth_destination is a very safe a very cheap check, so it's good to have it as soon as possible. > reject_unauth_destination > . > . > . > > Or you have another configuration to propose the is safer? > see above. as a general "rule of thumb", put anti-spam checks (I'm talking about inbound spam. outbound spam is a different subject) after reject_unauth_destination, and put "general restrictions" (that also apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
