Sorry,
>>> How do I have to modify it so that I could block an email address >>> either >>> if is the sender or one of the recipients, AND either if the message is >>> incoming or outgoing? >>> >>> Maybe so (assuming that the action will never be "OK")... >>> >>> smtpd_client_restrictions = >>> check_client_access >>> proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf >>> >>> smtpd_helo_restrictions = >>> smtpd_sender_restrictions = >>> check_sender_access >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf >>> check_recipient_access >>> proxy:mysql:/etc/postfix/mysql-check-sender-access.cf >>> >>> smtpd_recipient_restrictions = >>> check_recipient_access >>> proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf >> >> this one is already in smtpd_sender_restrictions, so just remove it >> > > I can't remove it because this lookup return "reject_unverified_address" > for the domains that I maintain but for wich I have no a list of valid > recipient: > > query = select restriction from domain where domain='%s' > > maybe could I put both lookups in smtpd_sender_restrictions? > > check_recipient_access > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, > proxy:mysql:/etc/postfix/mysql-check-sender-access.cf I'm saying: check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf, proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf > > is it ok? > >>> check_client_access >>> proxy:mysql:/etc/postfix/mysql-check-client-access.cf >> >> what's this for? it's already in smtpd_client_restrictions, so you may >> or may not need it here. > > It integrate mynetworks (i.e.: return "OK" id an IP is enabled to relay > trhough my SMTP gateway). I need it. > >> >>> permit_mynetworks >>> permit_sasl_authenticated >>> check_policy_service inet:127.0.0.1:54000 >> >> what's this for? you probably want to put this after >> reject_unauth_destination. > > postgrey > >> >> remember: reject_unauth_destination is what prevents open relay. so >> avoid putting a lot of stuff before it, because you increase the risks. >> >> and reject_unauth_destination is a very safe a very cheap check, so it's >> good to have it as soon as possible. >> >>> reject_unauth_destination >>> . >>> . >>> . >>> >>> Or you have another configuration to propose the is safer? >>> >> >> see above. >> >> as a general "rule of thumb", put anti-spam checks (I'm talking about >> inbound spam. outbound spam is a different subject) after >> reject_unauth_destination, and put "general restrictions" (that also >> apply to your users) in one of smtpd_(client|helo|sender)_restrictions. > > thanks, > > rocsca > >