----- Original Message -----
From: "Wietse Venema" <wie...@porcupine.org>
To: "Postfix users" <postfix-users@postfix.org>
Sent: Monday, 10 June, 2013 8:10:50 PM
Subject: Re: Postscreen and policies
Phil Daws:
> Postscreen (Postfix 2.10) is working very well indeed but I am
> having an issue with understanding where a policy check should be
> implemented. main.cf looks like:
...
> Yet when I SASL authenticate the policy service does not appear
> to be triggered; as I am trying to limit number of emails sent by
> SASL username.
Are you connecting to port 25 or to port 587? Nowadays it is quite
common to use port 25 for MTA-to-MTA service and port 587 for mail
clients. Those may have their own smtpd_mumble_restrictions.
This an example master.cf entry from Postfix 2.11.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
In particular this overrides smtpd_recipient_restrictions from main.cf.
Wietse
Good evening Wietse.
We are using port 25 at present, though will get users migrated too 587 ASAP,
but in the meantime would like to use postscreen and the check policy service.
Was my thinking correct that if a client passed postscreen it would then flow
through to a smtpd process ? and at that point the smtpd_client_restrictions
from main.cf would be processed in hierarchy order ?
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
check_policy_service inet:127.0.0.1:10031,
reject_unlisted_recipient,
permit
So if its gets passed reject_non_fqdn_recipient then it would hit the policy
service; which it never appears to do :(
Thank you.
