Steve a écrit :
> On Sun, 2009-06-28 at 20:44 +0100, Steve wrote:
>> On Sun, 2009-06-28 at 14:38 -0500, Noel Jones wrote:
>>> Steve wrote:
>>>> Hi,
>>>>
>>>> I've been looking at some archive posts regarding white listing by
>>>> intended recipient domain.
>>>>
>>>> Say for example I wish to white list any incoming mail for:
>>>> b...@example.com - is this actually possible?
>>> Yes, this is one reason some people like to put all their
>>> restrictions under smtpd_recipient_restrictions.
>>>
>>>> Thinking about the stages of the SMTP conversation this is not going to
>>>> be available until the RCPT TO is given, so any white list (if it is
>>>> possible) would need to go in smtpd_recipient_restrictions. That is what
>>>> common sense would tell me.
>>> With the default smtpd_delay_reject=yes, recipient information
>>> is available during smtpd_{client, helo, sender}_restrictions.
>>>
>>> But then you have to specify your whitelist multiple times.
>>> It's usually easier to just put all your restrictions in
>>> smtpd_recipient_restrictions.
>>>
>>>> I can already see that any earlier client, helo or sender restrictions
>>>> probably can't be white listed by recipient domain - but should it work
>>>> at the smtpd_recipient_restriction level?
>>>>
>>>> Perhaps what I am actually asking is;
>>>>
>>>> Should this work?
>>>> Could it be extended to effect a whole domain (not just b...@example.com,
>>>> but *...@example.com)
>>> Yes, you can whitelist a whole domain. See the access(5) man
>>> page for details. Your lookup table would contain
>>> example.com OK
>>>
>>>> In lieu of smtpd_delay_reject = yes could this be applied to earlier
>>>> restrictions?
>>> The default setting of smtpd_delay_reject=yes is required if
>>> you want to whitelist recipeints during
>>> smtpd_{client,helo,sender}_restrictions.
>>>
>>> But it's easier to just put all your restrictions under
>>> smtpd_recipient_restrictions.
>>>
>>> Oh, be sure to put any whitelists after
>>> reject_unauth_destination, such as:
>>> smtpd_recipient_restrictions =
>>> permit_mynetworks
>>> permit_sasl_authenticated
>>> reject_unauth_destination
>>> ... whitelist goes here ...
>>> ... UCE checks here ...
>>>
>>>
>>>
>>> -- Noel Jones
>> Thanks you kindly Noel. Much appreciated.
> The one observation I've made is there is no way of spotting in the logs
> that the mail was subjected to a whitelist. For example;
>
> map:
> example.com OK putting text here does not log it
>
> I'm guessing I can do this
> example.com WARN whitelisted
> example.com OK
no, this doens't work if it's in the same map. if a match is found...
>
> But is there a way to get OK to write to the log without the extra
> 'warn' line?
>
use two checks. one that warns and one that does what you want.
if you want more control with fewer checks, use a policy service.
