Carsten Rosenberg wrote on Wed, 7 Nov 2018 16:23:54 +0100:
> So if you reject somebody with an access_map, you won't see any scan
> result in rspamd.
This would be fine ;-)
> Do you have any problems with this situation?
Yes, it's the other way around here. e.g. there is no rejection happening
by postfix, but the milter kicks in and greylists the mail (if it scores
enough the first time) and after greylisting scans it and scores
accordingly. But I would rather like it to get rejected by postfix because
of the access_map.
I have some generic TLDs listed that deliver only garbage, like .site,
host, .review etc. They were getting scored as spam by rspamd most of the
time but I wondered why they weren't getting rejected by postfix, anyway.
First I thought I might be using wrong syntax (site vs. .site), but I
scanned the postfix docs and found that the default compatibility setting
for access_maps should allow "site" to be used for subdomain matching as
well.
Now, after removing the delay it seems that postfix is now rejecting them.
I'm not 100% sure if that did it, because I have some sender rejects that
*may* have been before my changes. But never a client reject. I'm not sure
because I made several changes over the course of the day and am not sure
about exact times.
So, this seems to work now, but I've just realized I hit a new problem.
After smtpd_delay_reject = no the option permit_sasl_authenticated doesn't
work in permit_sasl_authenticated anymore. I had to revert to yes,
otherwise the checks *after* permit_sasl_authenticated hit the message and
reject it. After thinking about this, it's clear that if I check at helo
stage there hasn't been any authentication yet, permit_sasl_authenticated
is moot at this stage. If I want it and still use some rejections because
of helo I *have* to delay.
Is there a workaround for this which allows client and sender rejections
and have the milter kick in only after this?
Here's my current conf in this area:
(smtpd_client_restrictions was empty before today and most of the
restrictions had been in recipient_restrictions)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_helo_restrictions =
permit_sasl_authenticated,(obviously in vain)
#permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
check_helo_access hash:/etc/mail/access,
check_helo_access hash:/etc/mail/disallow_my_domains,
permit
#http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions:
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
sleep 1,
reject_unauth_pipelining,
check_client_access hash:/etc/mail/allow_clients,
check_client_access hash:/etc/mail/access,
reject_invalid_hostname,
reject_unknown_client_hostname,
permit
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
check_recipient_access hash:/etc/mail/allow_recipients,
check_sender_access hash:/etc/mail/allow_senders,
#check_client_access hash:/etc/mail/allow_clients,
#check_client_access hash:/etc/mail/access,
check_sender_access hash:/etc/mail/access,
#reject_invalid_hostname,
#reject_unknown_client_hostname,
#reject_rbl_client ix.dnsbl.manitu.net,
#check_policy_service inet:127.0.0.1:10023,
check_policy_service inet:127.0.0.1:10024,
permit
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce
Kai
