Sorry,
>>> How do I have to modify it so that I could block an email address
>>> either
>>> if is the sender or one of the recipients, AND either if the message is
>>> incoming or outgoing?
>>>
>>> Maybe so (assuming that the action will never be "OK")...
>>>
>>> smtpd_client_restrictions =
>>> check_client_access
>>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
>>>
>>> smtpd_helo_restrictions =
>>> smtpd_sender_restrictions =
>>> check_sender_access
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>> check_recipient_access
>>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
>>>
>>> smtpd_recipient_restrictions =
>>> check_recipient_access
>>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>>
>> this one is already in smtpd_sender_restrictions, so just remove it
>>
>
> I can't remove it because this lookup return "reject_unverified_address"
> for the domains that I maintain but for wich I have no a list of valid
> recipient:
>
> query = select restriction from domain where domain='%s'
>
> maybe could I put both lookups in smtpd_sender_restrictions?
>
> check_recipient_access
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
I'm saying:
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf,
proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
>
> is it ok?
>
>>> check_client_access
>>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>>
>> what's this for? it's already in smtpd_client_restrictions, so you may
>> or may not need it here.
>
> It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay
> trhough my SMTP gateway). I need it.
>
>>
>>> permit_mynetworks
>>> permit_sasl_authenticated
>>> check_policy_service inet:127.0.0.1:54000
>>
>> what's this for? you probably want to put this after
>> reject_unauth_destination.
>
> postgrey
>
>>
>> remember: reject_unauth_destination is what prevents open relay. so
>> avoid putting a lot of stuff before it, because you increase the risks.
>>
>> and reject_unauth_destination is a very safe a very cheap check, so it's
>> good to have it as soon as possible.
>>
>>> reject_unauth_destination
>>> .
>>> .
>>> .
>>>
>>> Or you have another configuration to propose the is safer?
>>>
>>
>> see above.
>>
>> as a general "rule of thumb", put anti-spam checks (I'm talking about
>> inbound spam. outbound spam is a different subject) after
>> reject_unauth_destination, and put "general restrictions" (that also
>> apply to your users) in one of smtpd_(client|helo|sender)_restrictions.
>
> thanks,
>
> rocsca
>
>
