Re: A question about the instance attribute in policy delegation
On 6/25/09 10:16 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jun 25, 2009 at 10:36:09PM -0400, Sahil Tandon wrote: IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html Yes. An instance (transaction) id is assigned at MAIL FROM: time, provided the MAIL command iis not rejected. Problem is that none of that actually answers my original question about why I'm receiving some requests with no instance attribute. Here's the pertinent bit from main.cf: smtpd_helo_restrictions = smtpd_client_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:9250 hash:/etc/postfix/protected_destinations,proxy:ldap:limittag permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain check_client_access hash:/etc/postfix/client_checks I never found it useful to separate smtpd restrictions (which may be wrong). Since I am just listening and not yet actually implementing policies, I had the check service first so that every message generates a request. In actual production, the policy checks will follow after the rejects. So the question remains, how do I interpret those requests that lack the instance attribute? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon 503-883-2558
Re: A question about the instance attribute in policy delegation
On Thu, Jun 25, 2009 at 11:40:32PM -0700, Rob Tanner wrote: On 6/25/09 10:16 PM, Victor Duchovni victor.ducho...@morganstanley.com wrote: On Thu, Jun 25, 2009 at 10:36:09PM -0400, Sahil Tandon wrote: IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html Yes. An instance (transaction) id is assigned at MAIL FROM: time, provided the MAIL command iis not rejected. Problem is that none of that actually answers my original question about why I'm receiving some requests with no instance attribute. Here's the pertinent bit from main.cf: smtpd_helo_restrictions = smtpd_client_restrictions = smtpd_sender_restrictions = smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:9250 hash:/etc/postfix/protected_destinations,proxy:ldap:limittag permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_non_fqdn_recipient reject_unknown_sender_domain reject_unknown_recipient_domain check_client_access hash:/etc/postfix/client_checks The instance attribute is always sent, and is non-empty when the check is in the middle of an SMTP transaction (i.e. after MAIL and before a subsequent ., EHLO/HELO or RSET). In your case it looks like it should always be non-empty. Perhaps your parsing of the policy request is incomplete. Did you read all the attributes up to a blank line? Is your Postfix release so old that what is true for recent versions was not true for yours? Do you have policy callbacks for ETRN? Do post a complete policy request (the full multi-line A/V list prior to parsing) as recorded by your policy service? -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: A question about the instance attribute in policy delegation
On Thu, 25 Jun 2009, Rob Tanner wrote: I¹ve got a policy listener in place. It merely logs the request and returns an ³OK² and doesn¹t otherwise make any decisions. What I¹m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. -- Sahil Tandon sa...@tandon.net
Re: A question about the instance attribute in policy delegation
On Thu, Jun 25, 2009 at 09:46:51PM -0400, Sahil Tandon wrote: On Thu, 25 Jun 2009, Rob Tanner wrote: I?ve got a policy listener in place. It merely logs the request and returns an ?OK? and doesn?t otherwise make any decisions. What I?m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: A question about the instance attribute in policy delegation
On Thu, 25 Jun 2009, Victor Duchovni wrote: On Thu, Jun 25, 2009 at 09:46:51PM -0400, Sahil Tandon wrote: On Thu, 25 Jun 2009, Rob Tanner wrote: I?ve got a policy listener in place. It merely logs the request and returns an ?OK? and doesn?t otherwise make any decisions. What I?m noticing is many of the client requests do not even contain the instance attribute. My assumption from reading the documentation was that even a single recipient message would contain an instance attribute with a unique value. Is that incorrect? How do I interpret a request with no instance attribute? In which phase of the SMTP transaction do you plug in your policy service? From what I understand, the instance attribute does not exist until Postfix chooses/assigns a queue ID, which happens *after* the first RCPT TO command is accepted. If your policy service plugs in before that, there is no instance; therefore, the attribute is empty. IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html -- Sahil Tandon sa...@tandon.net
Re: A question about the instance attribute in policy delegation
On Thu, Jun 25, 2009 at 10:36:09PM -0400, Sahil Tandon wrote: IIRC, the instance attribute identifies a mail transaction and is assigned before the queue-id. My bad reading of src/smtpd/smtpd_check.c, then. But does that mean an instance can exist *before* the first recipient is accepted? For context: http://www.irbs.net/internet/postfix/0412/0896.html Yes. An instance (transaction) id is assigned at MAIL FROM: time, provided the MAIL command iis not rejected. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
