Hi,
I have a problem with restriction classes that I can't solve. I have a bunch of
restriction classes. In order to simplify this mail I am only using two. One
for SPF checking and the other for Greylisting. Now I would like to have for
each of the restriction classes a bunch of conditions to whitelist by client
ip, sender name or recipient name and that twice. Once on a map per policy
service and one global.
Basically something like that here (simplified example):
-------
/etc/postfix/main.cf:
smtpd_restriction_classes =
spf_policy
greylist_policy
spf_policy =
check_client_access
pcre:${config_directory}/lookups/pcre/spf_client_whitelist.cf
check_sender_access
pcre:${config_directory}/lookups/pcre/spf_sender_whitelist.cf
check_recipient_access
pcre:${config_directory}/lookups/pcre/spf_recipient_whitelist.cf
check_client_access
pcre:${config_directory}/lookups/pcre/global_client_whitelist.cf
check_sender_access
pcre:${config_directory}/lookups/pcre/global_sender_whitelist.cf
check_recipient_access
pcre:${config_directory}/lookups/pcre/global_recipient_whitelist.cf
check_policy_service unix:private/spf-smtpd-policy
greylist_policy =
check_client_access
pcre:${config_directory}/lookups/pcre/greylist_client_whitelist.cf
check_sender_access
pcre:${config_directory}/lookups/pcre/greylist_sender_whitelist.cf
check_recipient_access
pcre:${config_directory}/lookups/pcre/greylist_recipient_whitelist.cf
check_client_access
pcre:${config_directory}/lookups/pcre/global_client_whitelist.cf
check_sender_access
pcre:${config_directory}/lookups/pcre/global_sender_whitelist.cf
check_recipient_access
pcre:${config_directory}/lookups/pcre/global_recipient_whitelist.cf
check_policy_service inet:127.0.0.1:2501
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
spf_policy
greylist_policy
permit
-------
Now my problem is that if I would add an sender/recipient/client ip to one of
the maps for SPF and return OK as action then the Greylisting policy would as
well be overstepped. I don't know what I can add as action to not overstep the
Greylisting policy? I have not tried DUNNO but as far as I understand the DUNNO
would just continue to evaluate the other maps and at the end it would hit the
check_policy_service anyway. Right?
I was thinking in maybe adding another restriction class and branch/jump there
instead of giving an OK. For example:
instead of:
-------
/^123\.123\.123\.123$/ OK
-------
use this here:
-------
/^123\.123\.123\.123$/ dunno_policy
-------
and then in main.cf adding dunno_policy to smtpd_restriction_classes and adding
something like that for the dunno_policy:
-------
dunno_policy =
check_client_access
pcre:${config_directory}/lookups/pcre/dunno_policy_client.cf
-------
and in dunno_policy_client.cf:
-------
/./ DUNNO
-------
But I am unsure what happens if I branch/jump from one restriction class to
another and the other restriction class has just a DUNNO. Will then the
processing return back to the first restriction class and continue or is the
whole branching/jumping more or less like a flow of processing without
returning back there where it was originally called?
Does anyone know the answer? Is that somewhere described in Postfix? Where?
Or does anyone know a better way in handling such a situation/problem?
// Steve
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
