Brian Mathis a écrit :
> I'm running a relay server for my internal network, and trying to
> construct a smtpd_recipient_restrictions list that will accomplish the
> following:
> - if the client is in mynetworks
> - and it passes a check_policy_service test
> - then allow the message
> - otherwise, reject the message
>
> However, with the following setting:
> smtpd_recipient_restrictions = permit_mynetworks,
> check_policy_service unix:private/mypolicy, reject_unauth_destination
> it seems that the permit_mynetworks finds the allowed client, returns
> a "permit", and the check does not progress any further. It works as
> expected if I remove permit_mynetworks, but I was hoping to filter out
> IP addresses before calling the policy script, which seems more
> efficient.
>
> Is there a way to accomplish what I am looking to do?
>
a simple way to do it is to "stack" the checks:
#anything but mynetworks is rejected
smtpd_client_restrictions =
permit_mynetworks
reject
# anything that is not rejected goes to our policy server
smtpd_sender_restrictions =
check_policy_service unix:private/mypolicy
# default setup
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
(you can simply remove smtpd_recipient_restrictions, since this is the
default value).
>
> PS. I'm also a bit concerned with the warnings about:
> specify check_policy_service AFTER reject_unauth_destination or
> else your system can become an open relay.
> but if I put the policy check after reject_unauth_destination, the
> policy never gets called.
I recommend to use smtpd_recipient_restrictions to block inbound spam.
Put all other checks (local policy, outgoing mail control, ...) in other
restrictions. the reason is that smtpd_recipient_restrictions also
controls relay, and you'd better not get it wrong (otherwise, you become
an open relay).
> [snip]
