John Peacock wrote:
Elliot F wrote:
Currently, the check_relay checks for both relaying clients and rcpt
hosts. I split the existing check_relay plugin into "set_relay", and
"check_rcpthosts". The "set_relay" is the very first plugin to fire,
setting relay_client (or not) if $ENV{RELAYCLIENT} exists (as I'm
using tcpserver).
Except then you are missing the AUTH users by doing it that way. For
most people's purposes, AUTH users are completely equivalent to local
network users. The problem is that you know whether they are a
RELAYCLIENT during the connect phase, but you don't know the AUTH until
the transaction actually starts (after HELO/EHLO but before MAIL FROM:).
Right, but the auth_client plugin should set (or will set, if I ever use it)
relay_client when it is run. Any plugins that run after the auth plugin will
decline if relay_client is set (spam checking, rcpt_ok, etc.)
Actually, you must not be running recent code, because currently
check_relay only tests $ENV{RELAYCLIENT}, relayclients, and
morerelayclients (the latter two being qmail config files). The rcpt_ok
plugin does the rcpthosts test, and is intended to run last of all of
the rcpt plugins.
Yes, I am running older code. Sounds like the changes I made also made it into
the proper distribution. Good to hear, as it's fewer changes I will need to
make if/when I upgrade.
I also did it because I differentiate between a local address and a
rcpt address.
I don't understand why you want to do this. As I said above, anyone who
is a RELAYCLIENT or AUTH'd can send e-mail anywhere, local or foreign.
You can still do your LDAP test, but it is just one of several rcpt checks.
I must have not communicated very well. It was a separate issue from
relay_client. The reason why I mentioned it is because (as you say) I am
running older code where the check_rcpt plugin checks for both relay_client
(actually, it's $transaction->relaying to give you an idea of how old it is) and
also checks for rcpthosts. These are now separated in the more modern version,
which I have grabbed.
My point was that I differentiate between a local address (domains in qmail's
'locals' file) and any rcpthosts address (domains in 'rcpthosts' file.) The two
are not necessarily the same. If I did not differentiate between local and
rcpthost, then I could not authoritatively deny recipients, because I do not
know what users are valid on domains I am only secondary for. Does that make
more sense?
Since the functionality of rcpt_ok is separated out of check_relay already, all
I have to do is run a local_ok plugin (looping through 'locals' instead of
'rcpthosts') before the rcpt_ok plugin. I can authoritatively deny in a
local_ok plugin before it gets to the rcpt_ok plugin. Thanks for the response,
it's nice to know some of the changes I was suggesting (splitting check_rcpt
apart) are already in there. :)
I was also asking if it would make sense to have a switch similar to
$connection->relay_client for locals and rcpthosts. I would imagine it would
depend on how many plugins go through locals and rcpthosts. It doesn't seem
that many do, so it's probably not worth it.
