On 1/31/2011 2:32 PM, Daniel Bromberg wrote:
On 1/31/2011 7:24 AM, Noel Jones wrote:
On 1/30/2011 11:12 PM, Daniel Bromberg wrote:
Re: the From:/Reply-To cases: It seems one can write a better
regexp then given by mouss, such as including angle brackets
in the match field, or the full syntax
[the custom on this list is to bottom post]
The full possible syntax of the From: header is quite
complex and difficult to express in a regexp. Mouss' example
is appropriate.
What is normally suggested is to put these controls on the
submission/smtps ports and turn off SASL on the main port
25. That forces the users to submission/smtps, and allow you
to separate the controls rather than trying to make all
ports work for everything.
-- Noel Jones
> The full possible syntax of the From: header is quite
complex and difficult to express in a regexp. Mouss' example
is appropriate.
I can see how the possibility of embedded comments in the
whitespace (which themselves can have quoted metacharacters)
make the worst case complicated. Then, it begs the question of
a thorough, reliable library (perl? C? agonizingly careful
PCRE template?) that fits neatly into Postfix and can parse
these fields quickly and fully up to 5322 spec using a formal
grammar and return the meaty parts with an API. I've concluded
for now that this need is academic for me right now, so more
of a curiosity question.
> What is normally suggested is to put these controls on the
submission/smtps ports and turn off SASL on the main port 25.
That forces the users > to submission/smtps, and allow you to
separate the controls rather than trying to make all ports
work for everything.
I already have SASL enabled only for the submission port.
Here's my settings, please confirm (filter:dummy goes to
spamc/spamd):
smtp.example.com:smtp inet n - n - - smtpd
-o content_filter=filter:dummy
smtp.example.com:smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
I think what you're also suggesting, then, is to put this
stanza: "smtpd_sender_login_maps =
mysql:/etc/postfix/mysql_sender_login_maps.cf" as a -o to the
'smtps' clause, instead of in the system-wide main.cf
stmpd_recipient_restrictions clause?
Well, the easy way is to put those settings in main.cf and use
macros to load into master.cf. That way you can control both
smtps and submission with one set of controls, and you get
some insulation from the syntax restrictions of master.cf.
Also, most *sql: and ldap: maps should use the proxymap
interface to avoid excessive connections.
http://www.postfix.org/proxymap.8.html
# main.cf something like:
submit_client_restrictions =
submit_helo_restrictions =
submit_sender_restrictions =
reject_sender_login_mismatch
submit_recipient_restrictions =
permit_sasl_authenticated,
reject
smtpd_sender_login_maps = proxy:mysql:...
**the submit_* parameters won't show in "postconf" output.
# master.cf something like:
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=$submit_client_restrictions
-o smtpd_helo_restrictions=$submit_helo_restrictions
-o smtpd_sender_restrictions=$submit_sender_restrictions
-o smtpd_recipient_restrictions=$submit_recipient_restrictions
-o smtpd_data_restrictions=
-o syslog_name=postfix-submission
... maybe other stuff specific to submission ...
smtps inet n - n n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=$submit_client_restrictions
-o smtpd_helo_restrictions=$submit_helo_restrictions
-o smtpd_sender_restrictions=$submit_sender_restrictions
-o smtpd_recipient_restrictions=$submit_recipient_restrictions
-o smtpd_data_restrictions=
-o syslog_name=postfix-smtps
... maybe other stuff specific to smtps ...
-- Noel Jones
