On 4/15/2014 3:25 PM, List wrote: > On 4/15/14, 3:12 PM, Noel Jones wrote: >> On 4/15/2014 3:02 PM, List wrote: >>> On 4/15/14, 2:50 PM, Noel Jones wrote: >>>> On 4/15/2014 2:27 PM, List wrote: >>>>> I am running postfix 2.6.6 and trying to setup check_client_access >>>>> using a mysql lookup under the smtpd_client_restrictions, which >>>>> does >>>>> not appear to be rejecting clients when the query returns "REJECT" >>>>> (which has been confirmed to return "REJECT" using postmap -q xxx >>>>> mysql:..). When I change it to look at a hash file with the same >>>>> IP/REJECT entry it works perfectly, so I am wondering is using a >>>>> mysql lookup not supported for check_client_access under >>>>> smtpd_client_restrictions? >>>>> >>>> Yes, it's supported. You've not given sufficient information >>>> for us >>>> to identify your mistake. >>>> >>>> >>>> -- Noel Jones >>>> >>> Hopefully this is what you're looking for. >>> >>> postconf -n: >>> >>> alias_database = hash:/etc/aliases >>> alias_maps = hash:/etc/aliases >>> broken_sasl_auth_clients = yes >>> command_directory = /usr/sbin >>> config_directory = /etc/postfix >>> daemon_directory = /usr/libexec/postfix >>> data_directory = /var/lib/postfix >>> debug_peer_level = 2 >>> default_destination_recipient_limit = 1000 >>> default_process_limit = 1000 >>> html_directory = no >>> inet_interfaces = all >>> inet_protocols = all >>> mail_owner = postfix >>> mailbox_size_limit = 52224000 >>> mailq_path = /usr/bin/mailq.postfix >>> manpage_directory = /usr/share/man >>> message_size_limit = 52224000 >>> mydestination = $myhostname, localhost.$mydomain, localhost >>> myhostname = server.domain.tld >>> mynetworks = $config_directory/mynetworks >>> newaliases_path = /usr/bin/newaliases.postfix >>> queue_directory = /var/spool/postfix >>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES >>> relayhost = relay.domain.tld >>> sample_directory = /usr/share/doc/postfix-2.6.6/samples >>> sendmail_path = /usr/sbin/sendmail.postfix >>> setgid_group = postdrop >>> smtp_data_done_timeout = 900s >>> smtp_data_init_timeout = 900s >>> smtp_data_xfer_timeout = 900s >>> smtp_helo_timeout = 900s >>> smtp_mail_timeout = 900s >>> smtp_tls_note_starttls_offer = yes >>> smtpd_client_event_limit_exceptions = static:all >>> smtpd_client_restrictions = check_client_access >>> mysql:/etc/postfix/access_check.cf >>> smtpd_delay_reject = no >>> smtpd_helo_required = yes >>> smtpd_recipient_restrictions = check_policy_service >>> inet:127.0.0.1:10000, check_client_access >>> mysql:/etc/postfix/authb4smtp.cf, permit_mynetworks, >>> permit_sasl_authenticated, reject_unauth_destination >>> smtpd_sasl_auth_enable = yes >>> smtpd_sasl_path = private/auth >>> smtpd_sasl_security_options = noanonymous >>> smtpd_sasl_type = dovecot >>> smtpd_sender_restrictions = reject_unknown_sender_domain, >>> reject_non_fqdn_sender, permit >>> smtpd_tls_auth_only = no >>> smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt >>> smtpd_tls_key_file = /etc/pki/tls/private/postfix.key >>> smtpd_tls_loglevel = 1 >>> smtpd_tls_received_header = yes >>> smtpd_tls_security_level = may >>> smtpd_tls_session_cache_database = >>> btree:/var/lib/postfix/smtpd_tls_cache >>> smtpd_tls_session_cache_timeout = 3600s >>> tls_random_source = dev:/dev/urandom >>> unknown_local_recipient_reject_code = 550 >>> >>> postconf -m >>> >>> btree >>> cidr >>> environ >>> hash >>> ldap >>> mysql >>> nis >>> pcre >>> proxy >>> regexp >>> static >>> unix >>> >>> check_access.cf query: >>> >>> SELECT COALESCE( (SELECT "REJECT" FROM harvesters h WHERE h.ip = >>> '%s' AND h.added BETWEEN DATE_SUB(NOW(), INTERVAL 30 MINUTE) AND >>> NOW() GROUP BY h.ip HAVING COUNT(h.ip) > 1), "DUNNO") >>> >> >> How are you testing this? >> >> >> >> -- Noel Jones >> > > postmap -q 'x.x.x.x' mysql:/etc/postfix/access_check.cf >
Hostname lookups are done before IP lookups. If the hostname lookup returns "DUNNO", the lookup stops and postfix moves on to the next restriction. The name lookup must return nothing. -- Noel Jones
