On Thu, Feb 19, 2009 at 9:02 AM, Rocco Scappatura <rocco.scappat...@infracom.it> wrote: > Thanks Peter, > >> > My aim, anyway, is to apply a such policy for outgoing messages >> > (including internal-to-internal messages). So I have to define a >> group >> > which contains the IPs enabled for relay through my mail server. >> >> smtpd_end_of_data_restrictions = check_policy_service inet:foo:12345 >> >> Postfix will send something like: >> >> request=smtpd_access_policy >> protocol_state=END-OF-MESSAGE >> protocol_name=ESMTP >> client_address=1.2.3.4 >> client_name=4.3.2.1.rfc1918.com >> reverse_client_name=4.3.2.1.rfc1918.com >> helo_name=[1.2.3.4] >> sender=sen...@example.com >> recipient...@domain.org >> recipient_count=1 >> instance=581.4821e789.60a46.0 >> size=500 >> etrn_domain= >> sasl_method=PLAIN >> sasl_username=sen...@example.com >> sasl_sender= >> ccert_subject= >> ccert_issuer= >> ccert_fingerprint= >> encryption_protocol= >> encryption_cipher= >> encryption_keysize=0 > > What do you mean? When Postix sends thevalues above?
That's an example payload from postfix to a policy server at the end-of-message section (when the client sends a "\r\n.\r\n"). My suggestion assumes that a simple policy server act as the outbound throttle. It can reference whatever backend suits you. >> Take the "sasl_username", and use it as a key to lookup the number of >> messages sent in your homebrew database. Then add an entry with a >> count equal to "recipient_count". If the number < some pre-defined >> threshold within time period, then allow it. Otherwise reject it with >> some meaningful text. > > How do I "take" the "sasl_username"? So youre solution assumes that > anybody uses sasl? This is not in general true.. True. But you can be creative, and employ a policy like: * SASL auth'd users can send X messages per T period * Unauth'd users are key'd to their IP, so that IP can send X messages per T period * whatever, whatever, etc. etc. > I have no fields that maintain the number of messages sent for each > mailbox. Anyway, from my Ips there are users that use their own email > addresses as sender for outgoing email (i.e.: email address in domains > other then mine). With you re solution I can't manage such situations.. Ok, without your DB schema, I'm left to my imagination. The thing is that you can use any unique identifier. In my scenerio, the sasl username + FQDN is unique enough, so it doesn't matter what domain the user is in. And, if you support domainless authentication, you can always code in a provision that authentications without a "@" have a certain domain name appended, etc etc. > Anyway, I thought to some mechanism to point out an email als outgoing > and then to input it to the policyd server.. It is possible to implemnt > a such mechanism? Sorry, I'm missing your point here. -P