-- Doug
> On Mar 26, 2023, at 15:04, Viktor Dukhovni via Postfix-users > <postfix-users@postfix.org> wrote: > > On Sun, Mar 26, 2023 at 02:53:42PM -0700, Doug Hardie wrote: > >>> inline:{{digitalinsight.firefightersfirstcreditunion.org = >>> permit_auth_destination}} >>> or >>> >>> inline:{digitalinsight.firefightersfirstcreditunion.org=permit_auth_destination} >>> >>> Per the documentation: >>> >>> http://www.postfix.org/DATABASE_README.html >>> >>> "inline:{ key=value, { key = text with whitespace or comma }} >> >> >> I found the = didn't work. > > This is sadly without any configuration or error message details. So not > actionable. The suggested inline:{{key = value}} replacement will work > if implemented correctly. Mar 26 15:42:30 mail postfix/smtpd[15243]: NOQUEUE: reject: RCPT from mx4.messageprovider.com[156.55.193.213]: 450 4.1.8 <nore...@digitalinsight.firefightersfirstcreditunion.org>: Sender address rejected: Domain not found; from=<nore...@digitalinsight.firefightersfirstcreditunion.org> to=<a...@beneke.us> proto=ESMTP helo=<mx4.messageprovider.com> mail# postconf -n alias_maps = hash:/usr/local/etc/postfix/aliases bounce_queue_lifetime = 1d command_directory = /usr/local/sbin compatibility_level = 3.7 daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 default_privs = mailnull dovecot_destination_recipient_limit = 1 enable_long_queue_ids = yes header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix incoming_smtpd_restrictions = check_policy_service inet:127.0.0.1:10040, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, check_sender_access hash:/usr/local/etc/postfix/access reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, check_recipient_access hash:/usr/local/etc/postfix/tempfail, reject_unauth_destination, reject_unlisted_recipient reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit inet_protocols = ipv4 local_recipient_maps = unix:passwd.byname $alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man max_use = 5 message_size_limit = 1024000000 mydestination = localhost.$mydomain, localhost mydomain = sermon-archive.info mynetworks = 10.0.1.0/24, 127.0.0.0/8 mynetworks_style = host newaliases_path = /usr/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/access.cidr postscreen_greet_action = enforce queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_canonical_classes = envelope_recipient,header_recipient recipient_canonical_maps = tcp:localhost:10002 relocated_maps = hash:/usr/local/etc/postfix/relocated sample_directory = /usr/local/etc/postfix sender_canonical_classes = envelope_sender sender_canonical_maps = tcp:localhost:10001 sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_destination_concurrency_limit = 2 smtp_destination_recipient_limit = 25 smtp_generic_maps = hash:/usr/local/etc/postfix/generic smtpd_authorized_xclient_hosts = 10.0.1.0/24 smtpd_client_auth_rate_limit = 10 smtpd_client_connection_rate_limit = 10 smtpd_command_filter = pcre:/usr/local/etc/postfix/quote smtpd_error_sleep_time = 10 smtpd_hard_error_limit = 10 smtpd_milters = unix:/var/run/clamav/clmilter.sock smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_soft_error_limit = 1 smtpd_tls_cert_file = /etc/ssl/certs/mail.pem smtpd_tls_key_file = /etc/ssl/private/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/usr/local/etc/postfix/vmail_aliases, hash:/usr/local/etc/postfix/vcsc_aliases, hash:/usr/local/etc/postfix/lafn_aliases, hash:/usr/local/mailman/data/aliases virtual_gid_maps = static:2222 virtual_mailbox_base = /var/mail/ virtual_mailbox_domains = hash:/usr/local/etc/postfix/vmail_domains virtual_mailbox_limit = 1024000000 virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmail_mailbox virtual_minimum_uid = 2222 virtual_transport = dovecot virtual_uid_maps = static:2222 > > # Best to rename to "incoimg_recipient_restrictions", here, and in > master.cf. Good suggestion. > incoming_smtpd_restrictions = > check_policy_service inet:127.0.0.1:10040, > reject_invalid_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > check_sender_access inline:{ > {digitalinsight.firefightersfirstcreditunion.org = > permit_auth_destination} > }, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > permit_mynetworks, > check_recipient_access hash:/usr/local/etc/postfix/tempfail, > reject_unauth_destination, > reject_unlisted_recipient > reject_rbl_client bl.spamcop.net, > reject_rbl_client b.barracudacentral.org, > reject_rbl_client zen.spamhaus.org, > permit > >> So I tried the example in the access(5) man page. > > What example? https://www.postfix.org/access.5.html EXAMPLE The following example uses an indexed file, so that the order of table entries does not matter. The example permits access by the client at address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of hash lookup tables, some systems use dbm. Use the command "postconf -m" to find out what lookup tables Postfix supports on your system. /etc/postfix/main.cf: smtpd_client_restrictions = check_client_access hash:/etc/postfix/access /etc/postfix/access: 1.2.3 REJECT 1.2.3.4 OK Execute the command "postmap /etc/postfix/access" after editing the file. > >> smtpd pass - - n - 50 smtpd >> -o smtpd_recipient_restrictions=$incoming_smtpd_restrictions >> >> incoming_smtpd_restrictions = >> check_policy_service inet:127.0.0.1:10040, >> reject_invalid_hostname, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> check_sender_access hash:/usr/local/etc/postfix/access >> reject_unknown_sender_domain, > > This will reject the domain. > >> reject_unknown_recipient_domain, >> reject_unauth_pipelining, >> permit_mynetworks, >> check_recipient_access hash:/usr/local/etc/postfix/tempfail, >> reject_unauth_destination, >> reject_unlisted_recipient >> reject_rbl_client bl.spamcop.net, >> reject_rbl_client b.barracudacentral.org, >> reject_rbl_client zen.spamhaus.org, >> permit >> >> the contents of access: >> >> # Firefighters CU has missing DNS >> 156.55.193.213 OK > > That's not a sender [email] address. Also the "RHS" is too permissive, > you probably want (just in case) not "OK" but "permit_auth_destination" > (though your "smtpd_relay_restrictions" may keep you out of trouble, > best to be sure). > > Perhaps you meant to instead use: > > check_client_access hash:/usr/local/etc/postfix/access You are right. I missed that. > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org