-- Doug
> On Mar 26, 2023, at 15:04, Viktor Dukhovni via Postfix-users
> <postfix-users@postfix.org> wrote:
>
> On Sun, Mar 26, 2023 at 02:53:42PM -0700, Doug Hardie wrote:
>
>>> inline:{{digitalinsight.firefightersfirstcreditunion.org =
>>> permit_auth_destination}}
>>> or
>>>
>>> inline:{digitalinsight.firefightersfirstcreditunion.org=permit_auth_destination}
>>>
>>> Per the documentation:
>>>
>>> http://www.postfix.org/DATABASE_README.html
>>>
>>> "inline:{ key=value, { key = text with whitespace or comma }}
>>
>>
>> I found the = didn't work.
>
> This is sadly without any configuration or error message details. So not
> actionable. The suggested inline:{{key = value}} replacement will work
> if implemented correctly.
Mar 26 15:42:30 mail postfix/smtpd[15243]: NOQUEUE: reject: RCPT from
mx4.messageprovider.com[156.55.193.213]: 450 4.1.8
<nore...@digitalinsight.firefightersfirstcreditunion.org>: Sender address
rejected: Domain not found;
from=<nore...@digitalinsight.firefightersfirstcreditunion.org>
to=<a...@beneke.us> proto=ESMTP helo=<mx4.messageprovider.com>
mail# postconf -n
alias_maps = hash:/usr/local/etc/postfix/aliases
bounce_queue_lifetime = 1d
command_directory = /usr/local/sbin
compatibility_level = 3.7
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_privs = mailnull
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
incoming_smtpd_restrictions = check_policy_service inet:127.0.0.1:10040,
reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
check_sender_access hash:/usr/local/etc/postfix/access
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, permit_mynetworks, check_recipient_access
hash:/usr/local/etc/postfix/tempfail, reject_unauth_destination,
reject_unlisted_recipient reject_rbl_client bl.spamcop.net, reject_rbl_client
b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, permit
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
max_use = 5
message_size_limit = 1024000000
mydestination = localhost.$mydomain, localhost
mydomain = sermon-archive.info
mynetworks = 10.0.1.0/24, 127.0.0.0/8
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/access.cidr
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
relocated_maps = hash:/usr/local/etc/postfix/relocated
sample_directory = /usr/local/etc/postfix
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_destination_concurrency_limit = 2
smtp_destination_recipient_limit = 25
smtp_generic_maps = hash:/usr/local/etc/postfix/generic
smtpd_authorized_xclient_hosts = 10.0.1.0/24
smtpd_client_auth_rate_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_command_filter = pcre:/usr/local/etc/postfix/quote
smtpd_error_sleep_time = 10
smtpd_hard_error_limit = 10
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/usr/local/etc/postfix/vmail_aliases,
hash:/usr/local/etc/postfix/vcsc_aliases,
hash:/usr/local/etc/postfix/lafn_aliases, hash:/usr/local/mailman/data/aliases
virtual_gid_maps = static:2222
virtual_mailbox_base = /var/mail/
virtual_mailbox_domains = hash:/usr/local/etc/postfix/vmail_domains
virtual_mailbox_limit = 1024000000
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmail_mailbox
virtual_minimum_uid = 2222
virtual_transport = dovecot
virtual_uid_maps = static:2222
>
> # Best to rename to "incoimg_recipient_restrictions", here, and in
> master.cf.
Good suggestion.
> incoming_smtpd_restrictions =
> check_policy_service inet:127.0.0.1:10040,
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> check_sender_access inline:{
> {digitalinsight.firefightersfirstcreditunion.org =
> permit_auth_destination}
> },
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> permit_mynetworks,
> check_recipient_access hash:/usr/local/etc/postfix/tempfail,
> reject_unauth_destination,
> reject_unlisted_recipient
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> permit
>
>> So I tried the example in the access(5) man page.
>
> What example?
https://www.postfix.org/access.5.html
EXAMPLE
The following example uses an indexed file, so that the order of table
entries does not matter. The example permits access by the client at
address 1.2.3.4 but rejects all other clients in 1.2.3.0/24. Instead of
hash lookup tables, some systems use dbm. Use the command "postconf
-m" to find out what lookup tables Postfix supports on your system.
/etc/postfix/main.cf:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/access
/etc/postfix/access:
1.2.3 REJECT
1.2.3.4 OK
Execute the command "postmap /etc/postfix/access" after editing the
file.
>
>> smtpd pass - - n - 50 smtpd
>> -o smtpd_recipient_restrictions=$incoming_smtpd_restrictions
>>
>> incoming_smtpd_restrictions =
>> check_policy_service inet:127.0.0.1:10040,
>> reject_invalid_hostname,
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> check_sender_access hash:/usr/local/etc/postfix/access
>> reject_unknown_sender_domain,
>
> This will reject the domain.
>
>> reject_unknown_recipient_domain,
>> reject_unauth_pipelining,
>> permit_mynetworks,
>> check_recipient_access hash:/usr/local/etc/postfix/tempfail,
>> reject_unauth_destination,
>> reject_unlisted_recipient
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client b.barracudacentral.org,
>> reject_rbl_client zen.spamhaus.org,
>> permit
>>
>> the contents of access:
>>
>> # Firefighters CU has missing DNS
>> 156.55.193.213 OK
>
> That's not a sender [email] address. Also the "RHS" is too permissive,
> you probably want (just in case) not "OK" but "permit_auth_destination"
> (though your "smtpd_relay_restrictions" may keep you out of trouble,
> best to be sure).
>
> Perhaps you meant to instead use:
>
> check_client_access hash:/usr/local/etc/postfix/access
You are right. I missed that.
>
> --
> Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
