On 8/19/2010 11:26 AM, Noel Jones wrote:
On 8/19/2010 10:10 AM, Robert Fitzpatrick wrote:
On 8/19/2010 11:03 AM, Noel Jones wrote:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#probe_routing
http://www.postfix.org/postconf.5.html#address_verify_transport_maps
Yes, I read both of these, I guess I just can't figure out how
to utilize these configuration options for a solution. Not
sure where address_verify_transport_maps comes into play if
I'm not using transport_maps :-/
Thanks, Robert
From your vague description, I assumed you were using
reject_unverified_recipient and wanted to control where the verification
probes were sent, because the relayhost you're using now just answers OK
to everyone.
If that's not a correct assumption, you'll probably need to provide a
much clearer explanation to get any useful answers.
It might help to include "postconf -n" and log entries demonstrating the
issue.
Thanks, no I am not using reject_unverified_recipient, I was using...
check_recipient_access ldap:/usr/local/etc/postfix/ldap/verification.cf
I now have it setup as shown below, but like you said, the relayhost is
answering OK to everything, I assume because the 1st gateway is part of
the cidr file...
check_client_access cidr:/usr/local/etc/postfix/relay_clients
I was hoping to do AV at the 1st gateway only and it use transports to
determine where to send the probe, but if I use transport_maps (like the
2nd gateway), then I must do content filtering and the cheap router
can't handle the calls to the other network db like the old one did fine.
1st gateway:
mx2# postconf -n
address_verify_map = btree:/var/mta/verify
address_verify_negative_cache = no
address_verify_poll_count = 1
bounce_queue_lifetime = 1d
canonical_maps = ldap:/usr/local/etc/postfix/ldap/canonical.cf
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
html_directory = no
mail_name = WebTent ESMTP Postfix Internet Mail Exchange
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
message_size_limit = 51200000
mynetworks = 127.0.0.0/8, 10.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
readme_directory = no
relay_domains = ldap:/usr/local/etc/postfix/ldap/transport.cf
relayhost = mx1.webtent.net
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name USE OF THIS SERVER INDICATES
THAT YOU HAVE READ AND AGREED TO OUR AUP. UCE IS NOT ALLOWED.
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_client_access
cidr:/usr/local/etc/postfix/relay_clients, check_client_access
ldap:/usr/local/etc/postfix/ldap/relay_clients.cf, check_client_access
hash:/usr/local/etc/postfix/client_checks, reject_unauth_destination,
reject_non_fqdn_sender, reject_non_fqdn_recipient, check_helo_access
hash:/usr/local/etc/postfix/helo_checks, check_recipient_access
pcre:/usr/local/etc/postfix/recipient_checks.pcre, reject_rbl_client
zen.spamhaus.org, permit
smtpd_sender_restrictions = permit_mynetworks
reject_unknown_sender_domain hash:/usr/local/etc/postfix/sender_access
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
2nd gateway, relayhost of 1st:
mx1# postconf -n
address_verify_map = btree:/var/mta/verify
address_verify_negative_cache = no
address_verify_poll_count = 1
alias_maps = hash:/usr/local/etc/postfix/aliases
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
canonical_maps = ldap:/usr/local/etc/postfix/ldap/canonical.cf
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
html_directory = no
mail_name = WebTent ESMTP Postfix Internet Mail Exchange
mail_owner = postfix
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
message_size_limit = 51200000
mynetworks = 127.0.0.0/8, 10.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = ldap:/usr/local/etc/postfix/ldap/transport.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP ${stress?(condition RED)}
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_error_sleep_time = ${stress?0}${stress:5}
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = check_client_access
cidr:/usr/local/etc/postfix/relay_clients, check_recipient_access
ldap:/usr/local/etc/postfix/ldap/verification.cf,
permit_sasl_authenticated, permit_mynetworks, check_client_access
ldap:/usr/local/etc/postfix/ldap/relay_clients.cf, check_client_access
hash:/usr/local/etc/postfix/client_checks, reject_unauth_destination,
reject_non_fqdn_sender, reject_non_fqdn_recipient, check_policy_service
unix:private/policy, check_helo_access
hash:/usr/local/etc/postfix/helo_checks, check_recipient_access
pcre:/usr/local/etc/postfix/recipient_checks.pcre, reject_rbl_client
zen.spamhaus.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks check_client_access
cidr:/usr/local/etc/postfix/relay_clients, check_client_access
ldap:/usr/local/etc/postfix/ldap/relay_clients.cf check_sender_access
hash:/usr/local/etc/postfix/sender_access reject_unknown_sender_domain
smtpd_timeout = ${stress?5}${stress:300}
transport_maps = ldap:/usr/local/etc/postfix/ldap/transport.cf
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
Thanks again, Robert
