On 4/15/14, 2:50 PM, Noel Jones wrote:
On 4/15/2014 2:27 PM, List wrote:
I am running postfix 2.6.6 and trying to setup check_client_access
using a mysql lookup under the smtpd_client_restrictions, which does
not appear to be rejecting clients when the query returns "REJECT"
(which has been confirmed to return "REJECT" using postmap -q xxx
mysql:..). When I change it to look at a hash file with the same
IP/REJECT entry it works perfectly, so I am wondering is using a
mysql lookup not supported for check_client_access under
smtpd_client_restrictions?
Yes, it's supported. You've not given sufficient information for us
to identify your mistake.
-- Noel Jones
Hopefully this is what you're looking for.
postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_recipient_limit = 1000
default_process_limit = 1000
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 52224000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 52224000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = server.domain.tld
mynetworks = $config_directory/mynetworks
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relayhost = relay.domain.tld
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_done_timeout = 900s
smtp_data_init_timeout = 900s
smtp_data_xfer_timeout = 900s
smtp_helo_timeout = 900s
smtp_mail_timeout = 900s
smtp_tls_note_starttls_offer = yes
smtpd_client_event_limit_exceptions = static:all
smtpd_client_restrictions = check_client_access
mysql:/etc/postfix/access_check.cf
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_policy_service
inet:127.0.0.1:10000, check_client_access
mysql:/etc/postfix/authb4smtp.cf, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix
check_access.cf query:
SELECT COALESCE( (SELECT "REJECT" FROM harvesters h WHERE h.ip = '%s'
AND h.added BETWEEN DATE_SUB(NOW(), INTERVAL 30 MINUTE) AND NOW() GROUP
BY h.ip HAVING COUNT(h.ip) > 1), "DUNNO")
