On Sun, 03 May 2009, Brian Mathis wrote: > I'm running a relay server for my internal network, and trying to > construct a smtpd_recipient_restrictions list that will accomplish the > following: > - if the client is in mynetworks > - and it passes a check_policy_service test > - then allow the message > - otherwise, reject the message > > However, with the following setting: > smtpd_recipient_restrictions = permit_mynetworks, > check_policy_service unix:private/mypolicy, reject_unauth_destination > it seems that the permit_mynetworks finds the allowed client, returns > a "permit", and the check does not progress any further.
This means Postfix works as designed. If you do not want to "OK" clients in your networks (and thus bypass any following checks within the same restriction list), then do not use permit_mynetworks within the same restriction list that also calls the policy service. > Is there a way to accomplish what I am looking to do? One method is to use an access(5) map which queries for the client IP and returns "DUNNO" if it is in your network; otherwise, it returns "REJECT". Place your policy service thereafter. There are other ways to do this as well. Make sure to read: http://www.postfix.org/SMTPD_ACCESS_README.html. > PS. I'm also a bit concerned with the warnings about: > specify check_policy_service AFTER reject_unauth_destination or > else your system can become an open relay. Just make sure your policy service does not reply with "OK" but instead "permit_auth_destination" to avoid becoming an open relay. -- Sahil Tandon <sa...@tandon.net>
