Re: Blocking with smtpd_client_restrictions

Tue, 23 Jun 2009 14:33:25 -0700 

Sahil Tandon wrote:


Show all 'postconf -n' instead of snippets for more thorough debugging.




Sorry, figured the shorthand would give enough detail without being too 
wordy. Here's the rest:


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
mydestination = smtp1.myDomainOne myDomainOne myDomainTwo
myhostname = smtp1.myDomainOne
mynetworks = 127.0.0.0/8 x.x.x.x x.x.x.x x.x.x.x
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = myDomainOne, myDomainTwo
relay_recipient_maps = hash:/etc/postfix/exchange_recipients
relayhost =
show_user_unknown_table_name = no

smtpd_banner = $myhostname Microsoft ESMTP MAIL Service, Version: 
6.0.3790.1830 ready

smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/access_hash,
 check_client_access regexp:/etc/postfix/access_regexp,
 reject_unknown_reverse_client_hostname,
 reject_unknown_client_hostname
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
 check_helo_access hash:/etc/postfix/access_hash,
 reject_non_fqdn_helo_hostname,
 reject_invalid_helo_hostname
smtpd_sender_restrictions =
 check_sender_access hash:/etc/postfix/access_hash,
 reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550



smtp1:/etc/postfix# cat access_hash
.it REJECT 554 Access denied

smtp1:/etc/postfix# cat access_regexp
/gaoland\.net/


My questions:

1) Are two check_client_access statements as I have in 
smtp_client_restrictions legal?


Yes.


and


2) If yes to 1, assuming I've grepped the mail.log correctly, should 
this have gotten past the .it block in the access_hash check? If not, 
what might be changed to block .it?



You're trying to block an entire TLD.  See the access(5) manual, 
especially the section on lookups from indexed files.  You might want to 
try "it" as a lookup key instead of ".it", given the likely inclusion of 
smtpd_access_maps in your configuration's parent_domain_matches_subdomains.




OK, read http://www.postfix.org/access.5.html

Am I correct at interpreting this to mean I need to put the desired 
".tld" in, for example, my "access_regexp" as a regular expression 
because ".tld" is too short and won't match via an "access_hash" whereas 
".domain.tld" being longer, would?
























					Reply via email to