Brian Mathis a écrit : > I'm running a relay server for my internal network, and trying to > construct a smtpd_recipient_restrictions list that will accomplish the > following: > - if the client is in mynetworks > - and it passes a check_policy_service test > - then allow the message > - otherwise, reject the message > > However, with the following setting: > smtpd_recipient_restrictions = permit_mynetworks, > check_policy_service unix:private/mypolicy, reject_unauth_destination > it seems that the permit_mynetworks finds the allowed client, returns > a "permit", and the check does not progress any further. It works as > expected if I remove permit_mynetworks, but I was hoping to filter out > IP addresses before calling the policy script, which seems more > efficient. > > Is there a way to accomplish what I am looking to do? >
a simple way to do it is to "stack" the checks: #anything but mynetworks is rejected smtpd_client_restrictions = permit_mynetworks reject # anything that is not rejected goes to our policy server smtpd_sender_restrictions = check_policy_service unix:private/mypolicy # default setup smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination (you can simply remove smtpd_recipient_restrictions, since this is the default value). > > PS. I'm also a bit concerned with the warnings about: > specify check_policy_service AFTER reject_unauth_destination or > else your system can become an open relay. > but if I put the policy check after reject_unauth_destination, the > policy never gets called. I recommend to use smtpd_recipient_restrictions to block inbound spam. Put all other checks (local policy, outgoing mail control, ...) in other restrictions. the reason is that smtpd_recipient_restrictions also controls relay, and you'd better not get it wrong (otherwise, you become an open relay). > [snip]