On Mon, Mar 09, 2015 at 01:49:18PM +0000, Mick wrote: > >I am not talking about concurrency, rather this still costs a Perl > >invocation per lookup and Perl start-up time is considerable. > > Ah, I see. Thanks for clarifying the difference. I run a PERL script using > spawn to block and group SMTP authenticated senders. Perhaps I should look > into making that script run as a daemon to save PERL start up time. Haven't > a clue how. I guess that's my free time for the next 3 months booked!
For policy services spawn is fine, because each smtpd(8) connects once and makes many requests. However, you need to NOT exit until the connection is closed by the client (i.e. smtpd(8)). Rather you need to loop reading requests and writing responses until there are no more requests. There are examples of such policy services. For "socketmap" each connection is typically also used for multiple requests. Again, don't just exit, loop handling requests until the client disconnects. > >That's why I am suggesting a TCP table driver, (or even better SQL). > > I find the postfix instruction manual a nightmare, The only per-parameter documentation is a reference manual, not a tutorial. Reference manuals document available features and syntax. > Out of interest to me, and perhaps P.V. who asked the question in the first > place, how would you even start? smtpd_sender_login_maps = exactly what? A list of tables that map envelope sender addresses to lists of SASL login names. There are many supported table types. These are referenced from DATABASE_README which has links to per-type documents. With SQL tables you can make union queries that neatly solve the problem at hand. Something along the lines of: SELECT sasl_login FROM sender_to_login WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no partial keys UNION SELECT sasl_login FROM anysender_login > Can you create a text file containing ; > .... > a...@domain.tld, f...@domain.tld, g...@domain.tld > b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld Well, for simple indexed files via postmap, no comma in the key column. Just optional commas between the RHS elements. > Will that work? I may have got that completely wrong. The write-down > mentions two further lookups. user@ and @domain. It was at that point my > eyes shattered from being glazed over ;-) . Well, the lookup key can be the full address or part of the address as documented. > >However upgrading to Postfix 2.11 which supports check_sasl_access > >is surely easier. > > There's even less of a write-up on that so I can't comment. I would sooner > add a list of valid senders to the sasl_username list. Seems more logical > than the other way around. As far as Postfix 2.11 goes, I'm far too green to > wander outside the realms of the regular Debian Wheezy distro where postfix > is currently 2.9.6 despite 2.11 is available via backport. I think? I will > wait. My employer is running the 2.11 backport on wheezy just fine. This takes very little effort (I am not the one managing the MTA). As for lookups by SASL user smtpd_sender_restrictions = check_sasl_access <some-table>, reject_sender_login_mismatch, ... Just use "OK" for the RHS of <some-table> for logins not constrained to any particular sender address, then they are not contrained by the mismatch check that follows. If you've not yet read the Postfix book by Ralf and Patrick, do. -- Viktor.