On Mon, Mar 09, 2015 at 01:49:18PM +0000, Mick wrote:
> >I am not talking about concurrency, rather this still costs a Perl
> >invocation per lookup and Perl start-up time is considerable.
>
> Ah, I see. Thanks for clarifying the difference. I run a PERL script using
> spawn to block and group SMTP authenticated senders. Perhaps I should look
> into making that script run as a daemon to save PERL start up time. Haven't
> a clue how. I guess that's my free time for the next 3 months booked!
For policy services spawn is fine, because each smtpd(8) connects
once and makes many requests. However, you need to NOT exit until
the connection is closed by the client (i.e. smtpd(8)). Rather
you need to loop reading requests and writing responses until there
are no more requests.
There are examples of such policy services.
For "socketmap" each connection is typically also used for multiple
requests. Again, don't just exit, loop handling requests until
the client disconnects.
> >That's why I am suggesting a TCP table driver, (or even better SQL).
>
> I find the postfix instruction manual a nightmare,
The only per-parameter documentation is a reference manual, not a
tutorial. Reference manuals document available features and syntax.
> Out of interest to me, and perhaps P.V. who asked the question in the first
> place, how would you even start? smtpd_sender_login_maps = exactly what?
A list of tables that map envelope sender addresses to lists of
SASL login names. There are many supported table types. These
are referenced from DATABASE_README which has links to per-type
documents.
With SQL tables you can make union queries that neatly solve the
problem at hand. Something along the lines of:
SELECT sasl_login
FROM sender_to_login
WHERE sender_to_login.sender = '%u@%d' -- unlike %s, no partial keys
UNION
SELECT sasl_login
FROM anysender_login
> Can you create a text file containing ;
> ....
> a...@domain.tld, f...@domain.tld, g...@domain.tld
> b...@domain.tld, f...@domain.tld, h...@domain.tld, j...@domain.tld
Well, for simple indexed files via postmap, no comma in the key
column. Just optional commas between the RHS elements.
> Will that work? I may have got that completely wrong. The write-down
> mentions two further lookups. user@ and @domain. It was at that point my
> eyes shattered from being glazed over ;-) .
Well, the lookup key can be the full address or part of the address
as documented.
> >However upgrading to Postfix 2.11 which supports check_sasl_access
> >is surely easier.
>
> There's even less of a write-up on that so I can't comment. I would sooner
> add a list of valid senders to the sasl_username list. Seems more logical
> than the other way around. As far as Postfix 2.11 goes, I'm far too green to
> wander outside the realms of the regular Debian Wheezy distro where postfix
> is currently 2.9.6 despite 2.11 is available via backport. I think? I will
> wait.
My employer is running the 2.11 backport on wheezy just fine. This
takes very little effort (I am not the one managing the MTA).
As for lookups by SASL user
smtpd_sender_restrictions =
check_sasl_access <some-table>,
reject_sender_login_mismatch,
...
Just use "OK" for the RHS of <some-table> for logins not constrained
to any particular sender address, then they are not contrained by
the mismatch check that follows.
If you've not yet read the Postfix book by Ralf and Patrick, do.
--
Viktor.
