Mouss, >>>>> How do I have to modify it so that I could block an email address >>>>> either >>>>> if is the sender or one of the recipients, AND either if the message >>>>> is >>>>> incoming or outgoing? >>>>> >>>>> Maybe so (assuming that the action will never be "OK")... >>>>> >>>>> smtpd_client_restrictions = >>>>> check_client_access >>>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf >>>>> >>>>> smtpd_helo_restrictions = >>>>> smtpd_sender_restrictions = >>>>> check_sender_access >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf >>>>> check_recipient_access >>>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf >>>>> >>>>> smtpd_recipient_restrictions = >>>>> check_recipient_access >>>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf >>>> this one is already in smtpd_sender_restrictions, so just remove it >>>> >>> I can't remove it > > sorry, I didn't notice that it was a different map. > >> because this lookup return "reject_unverified_address" >>> for the domains that I maintain but for wich I have no a list of valid >>> recipient: >>> >>> query = select restriction from domain where domain='%s' >>> >>> maybe could I put both lookups in smtpd_sender_restrictions? >>> > > yes. > >>> check_recipient_access >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf >> >> I'm saying: >> >> check_recipient_access >> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, >> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf >> > > check_foo_access checks only one map. so you need to do it like this: > > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf > > >>> is it ok? >>> >>>>> check_client_access >>>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf >>>> what's this for? it's already in smtpd_client_restrictions, so you may >>>> or may not need it here. >>> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay >>> trhough my SMTP gateway). I need it. >>> > > that's ok. > >>>>> permit_mynetworks >>>>> permit_sasl_authenticated >>>>> check_policy_service inet:127.0.0.1:54000 >>>> what's this for? you probably want to put this after >>>> reject_unauth_destination. >>> postgrey >>> > > then put it at the end. no point to greylist a relay attempt. > >>>> remember: reject_unauth_destination is what prevents open relay. so >>>> avoid putting a lot of stuff before it, because you increase the >>>> risks. >>>> >>>> and reject_unauth_destination is a very safe a very cheap check, so >>>> it's >>>> good to have it as soon as possible. >>>> >>>>> reject_unauth_destination >>>>> . >>>>> . >>>>> . >>>>> >>>>> Or you have another configuration to propose the is safer? >>>>> >>>> see above. >>>> >>>> as a general "rule of thumb", put anti-spam checks (I'm talking about >>>> inbound spam. outbound spam is a different subject) after >>>> reject_unauth_destination, and put "general restrictions" (that also >>>> apply to your users) in one of >>>> smtpd_(client|helo|sender)_restrictions.
All works fine.. Annie is OK! ;-) Thanks, rocsca
