On Thu, Nov 04, 2010 at 05:02:25PM +0100, Vincent Lefevre wrote:
I still think that it's a bit ambiguous, because I was seeing
.domain.tld as a subcase of domain.tld
This objection is spurious, and constitutes trolling. Please do not feed
the trolls.
For the record, elementary logic:
If
On 2010-11-04 17:18:17 +0100, mouss wrote:
otherwise, you can do whatever you want with pcre:
/\.example\.com$/OK
or with sql or ldap.
For pcre, the man page is not clear. It says:
Each pattern is a regular expression that is applied to the entire
string being looked up.
, or an entire mail address?
check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_access pcre:/etc/postfix/filter.pcre
As you can see, this is defined by the smtpd_foo_restriction you target
the PCRE table with. What is checked
On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_accesspcre:/etc/postfix/filter.pcre
As you can see, this is defined by the smtpd_foo_restriction you target
Vincent Lefevre:
On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_access pcre:/etc/postfix/filter.pcre
As you can see, this is defined by the smtpd_foo_restriction
On 11/05/2010 01:26 AM, Vincent Lefevre wrote:
On 2010-11-04 19:06:57 -0500, Stan Hoeppner wrote:
check_client_access pcre:/etc/postfix/filter.pcre
check_sender_access pcre:/etc/postfix/filter.pcre
check_recipient_access pcre:/etc/postfix/filter.pcre
As you can see
On 2010-11-04 20:33:11 -0400, Wietse Venema wrote:
check_client_access searches the address and domain with ALL lookup
table types. It just doesn't do the substring lookups with PCRE,
REGEXP and CIDR.
If I understand correctly, there's another difference: in the default
table format
names look like IP addresses to you ?
If check_client_access matches against both IPs and hostnames, then your
regex table will match against both IPs and hostnames.
This is not what the documentation says:
Depending on the application, that string is an entire client
hostname, an entire
have seen that
I quoted from it.
And yet you didn't understand what it says.
It bears repeating.
How many domain names look like IP addresses to you ?
If check_client_access matches against both IPs and hostnames, then your
regex table will match against both IPs and hostnames
On 2010-11-05 02:29:53 +0100, Jeroen Geilman wrote:
If you combine
Each pattern is a regular expression that is applied to the entire string
being looked up.
with
*
check_client_access /type:table
http://www.postfix.org/DATABASE_README.html/*
Search the specified access
On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
reinal...@gmail.com wrote:
check_client_access type:table
Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping
least significant octets. See the access(5
Vincent Lefevre put forth on 11/4/2010 7:49 PM:
On 2010-11-04 20:33:11 -0400, Wietse Venema wrote:
check_client_access searches the address and domain with ALL lookup
table types. It just doesn't do the substring lookups with PCRE,
REGEXP and CIDR.
If I understand correctly, there's another
On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote:
On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
reinal...@gmail.com wrote:
check_client_access type:table
Search the specified access database for the client hostname,
parent domains, client IP address, or networks
On Thu, Nov 4, 2010 at 11:13 PM, Vincent Lefevre vinc...@vinc17.net wrote:
On 2010-11-04 23:06:17 -0300, Reinaldo de Carvalho wrote:
On Thu, Nov 4, 2010 at 10:42 PM, Reinaldo de Carvalho
reinal...@gmail.com wrote:
check_client_access type:table
Search the specified access database
:
- the map type
- the search context (check_client_access, check_sender_acces, ...
transport, virtual_alias_maps, ... etc)
- the list of search keys
for each combination, a search list is derived: for each key, sub-keys
are derived (whether this occurs and how depends on the map type
context
Hi,
It seems that I've found a serious bug in check_client_access
(or something is missing in the documentation).
A message was blocked with the following in the log:
Nov 3 21:16:55 ioooi postfix/smtpd[15423]: NOQUEUE: reject: RCPT from
mx003.twitter.com[128.121.146.152]: 554 5.7.1 Service
Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
What documentation supports this?
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
What documentation supports this?
The access(5) man page says:
domain.tld
Matches domain.tld.
The pattern domain.tld also matches
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
What documentation supports this?
The access(5) man page says:
domain.tld
On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
What documentation supports this?
The
On 11/3/2010 9:36 PM, Vincent Lefevre wrote:
On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it should have matched
What
On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote:
On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it
On Thu, 2010-11-04 at 03:36:30 +0100, Vincent Lefevre wrote:
On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent Lefevre:
As .twitter.com matches subdomains, it
On 2010-11-03 21:44:00 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:36:30AM +0100, Vincent Lefevre wrote:
On 2010-11-03 21:21:24 -0500, /dev/rob0 wrote:
On Thu, Nov 04, 2010 at 03:08:03AM +0100, Vincent Lefevre wrote:
On 2010-11-03 22:00:21 -0400, Wietse Venema wrote:
Vincent
On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
.domain.tld only works if parent_domain_matches_subdomains does NOT
include smtpd_access maps.
The man page says nothing like that. So, the documentation should be
fixed.
--
Vincent Lefèvre vinc...@vinc17.net - Web: http://www.vinc17.net/
100%
On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
.domain.tld only works if parent_domain_matches_subdomains does NOT
include smtpd_access maps.
The man page says nothing like that. So, the documentation should be
fixed.
The vast majority of
On 2010-11-03 22:16:48 -0500, Noel Jones wrote:
On 11/3/2010 10:00 PM, Vincent Lefevre wrote:
On 2010-11-03 21:40:54 -0500, Noel Jones wrote:
.domain.tld only works if parent_domain_matches_subdomains does NOT
include smtpd_access maps.
The man page says nothing like that. So, the
On 11/3/2010 10:50 PM, Vincent Lefevre wrote:
Actually if a documentation is incorrect/incomplete, it is a bug in
the documentation. And FYI, the consequence was a lost mail. So, this
is quite serious.
I'm so sorry you lost your twitter post. The access map
format you're looking for is
On 2010-11-03 22:55:59 -0500, Noel Jones wrote:
I'm so sorry you lost your twitter post.
Actually I might have lost other mail (though this is a bit unlikely)
since I was generally using an initial dot.
The access map format you're looking for is
twitter.com OK
Thanks for the information.
On 11/3/2010 11:07 PM, Vincent Lefevre wrote:
BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?
That's correct with indexed tables. With regexp or pcre
tables there is no
hello ladies and gents
I do not know if I am in error or in the real
i a file check_client_access hash:/etc/postfix/acces_client
cat /etc/postfix/acces_client
mx3.mail2000.com.tw REJECT
mx2.mail2000.com.tw REJECT
mx2.mail.tw.yahoo.com REJECT
I forbid the property
On Thu, 24 Jun 2010 10:09:35 +0200, fakessh fake...@fakessh.eu wrote:
hello ladies and gents
I do not know if I am in error or in the real
i a file check_client_access hash:/etc/postfix/acces_client
cat /etc/postfix/acces_client
mx3.mail2000.com.tw REJECT
mx2.mail2000.com.tw
On Thu, 24 Jun 2010 11:03:18 +0200, fakessh fake...@fakessh.eu wrote:
On Thu, 24 Jun 2010 10:09:35 +0200, fakessh fake...@fakessh.eu wrote:
hello ladies and gents
I do not know if I am in error or in the real
i a file check_client_access hash:/etc/postfix/acces_client
cat /etc/postfix
Hi,
the documentation wasnt clear about this. Is it possible to use multiple
check_client_access in smtpd_recipient_restrictions?
i.e (example).
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access pcre:/etc/postfix/rbl_checks
On 10/22/2009 5:33 AM, Harakiri wrote:
Hi,
the documentation wasnt clear about this. Is it possible to use multiple
check_client_access in smtpd_recipient_restrictions?
i.e (example).
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access pcre
Martijn de Munnik a écrit :
On Aug 24, 2009, at 8:31 PM, Martijn de Munnik wrote:
On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:
On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
How can I write a message to syslog when a check_client_access
rule matches?
See the WARN result
Hi,
How can I write a message to syslog when a check_client_access rule
matches?
thanks,
Martijn
On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
How can I write a message to syslog when a check_client_access
rule matches?
See the WARN result. If you mean that you want to log and to trigger
some other action, do note that REJECT and DEFER results are logged
anyway. If you're
On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:
On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
How can I write a message to syslog when a check_client_access
rule matches?
See the WARN result. If you mean that you want to log and to trigger
some other action, do note that REJECT
On Aug 24, 2009, at 8:31 PM, Martijn de Munnik wrote:
On Aug 24, 2009, at 7:57 PM, /dev/rob0 wrote:
On Monday 24 August 2009 12:43:16 Martijn de Munnik wrote:
How can I write a message to syslog when a check_client_access
rule matches?
See the WARN result. If you mean that you want
check_client_access. your question was about check_sender_access,
and your explanation was about a receiver. That's 3 different things...
PS. it would be safer to put your check_sender_access in
smtpd_sender_restrictions so that an error in your sql query doesn't
make you an open relay.
,
# postmap -q st...@receiver.tld
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
REJECT
you also need to make your mind: the subject contains
check_client_access. your question was about check_sender_access,
OK. Sorry I have wrong my subject..
and your explanation was about a receiver
=
check_client_access
proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
check_recipient_access
proxy:mysql:/etc/postfix/mysql
*_access after
reject_unauth_destination in smtpd_recipient_restrictions, or to put
them in other restrictions (latter if you want them to apply to both
inbound and outbound mail).
This is the restictions in my main.cf file:
smtpd_client_restrictions =
check_client_access
proxy:mysql:/etc/postfix
How do I have to modify it so that I could block an email address either
if is the sender or one of the recipients, AND either if the message is
incoming or outgoing?
Maybe so (assuming that the action will never be OK)...
smtpd_client_restrictions =
check_client_access
proxy:mysql
mind: the subject contains
check_client_access. your question was about check_sender_access,
OK. Sorry I have wrong my subject..
and your explanation was about a receiver. That's 3 different things...
So.. What I have to do to block a message based on the receiver?
PS. it would be safer to put
Sorry,
How do I have to modify it so that I could block an email address
either
if is the sender or one of the recipients, AND either if the message is
incoming or outgoing?
Maybe so (assuming that the action will never be OK)...
smtpd_client_restrictions =
check_client_access
=
check_client_access
proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
smtpd_helo_restrictions =
smtpd_sender_restrictions =
check_sender_access
proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
check_recipient_access
proxy:mysql:/etc/postfix/mysql-check-sender
Mouss,
How do I have to modify it so that I could block an email address
either
if is the sender or one of the recipients, AND either if the message
is
incoming or outgoing?
Maybe so (assuming that the action will never be OK)...
smtpd_client_restrictions =
check_client_access
In smtpd_recipient_restrictions I put as first line:
check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf
The check looks up the database for an address or a domain ad returns an
action (OK, REJECT, and so on).
Last day my server receives a lot of messages for an email
smtpd_client_message_rate_limit = 60
smtpd_client_recipient_rate_limit = 250
smtpd_client_restrictions = check_client_access
proxy:mysql:/etc/postfix/mysql-check-client-filter-access.cf
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_restrictions
-cleanup
-o message_size_limit=1024
-o smtpd_client_restrictions=check_client_access
hash:/etc/postfix/printer_access
The contents of printer_access is:
10.169OK
10.219OK
10 REJECT
I don't think it should matter where the REJECT line is, but I have
tried both
=check_client_access
hash:/etc/postfix/printer_access
The contents of printer_access is:
10.169OK
10.219OK
10 REJECT
I don't think it should matter where the REJECT line is, but I have
tried both in the first and the last position. When I try to telnet to
port 2526 fom a machine
On Mon, Aug 04, 2008 at 02:40:54PM -0400, Brian Evans - Postfix List wrote:
Nicolas KOWALSKI wrote:
On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
A *better* way is force them to Authenticate using SASL.
See http://www.postfix.org/SASL_README.html
Postfix
=ESMTP helo=demisel.dyndns.org
Aug 4 14:17:18 petole postfix/smtpd[23545]: disconnect from
225.96.68-86.rev.gaoland.net[86.68.96.225]
- I added the following line (full postconf -n below) to the
smtpd_recipient_restrictions, before the rbl check:
check_client_access hash:/etc/postfix
Let me give this one a try... I *think* i see the problem...
On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote:
Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
from 225.96.68-86.rev.gaoland.net[86.68.96.225]: 554 5.7.1 Service
unavailable; Client host [86.68.96.225]
Hello Nicolas,
Try this:
Remove 'check_client_access hash:/etc/postfix/client_access' from
smtpd_recipient_restrictions. Add the following line in main.cf
somewhere before/above smtpd_recipient_restrictions:
smtpd_client_restrictions = hash:/etc/postfix/client_access
And make sure you
On Mon, Aug 04, 2008 at 08:58:01AM -0400, Charles Marcus wrote:
Let me give this one a try... I *think* i see the problem...
On 8/4/2008, Nicolas KOWALSKI ([EMAIL PROTECTED]) wrote:
Aug 4 14:17:18 petole postfix/smtpd[23545]: NOQUEUE: reject: RCPT
from
what it returns yourself with 'host 86.68.96.225'
In your case, the client address was 225.96.68-86.rev.gaoland.net (which
is a unqualified RDNS entry for a dynamic pool).
This is the value that check_client_access can find (either name or IP)
The client said 'EHLO demisel.dyndns.org
and does a lookup on that IP.
See what it returns yourself with 'host 86.68.96.225'
In your case, the client address was 225.96.68-86.rev.gaoland.net (which
is a unqualified RDNS entry for a dynamic pool).
This is the value that check_client_access can find (either name or IP)
Ok, I think I get
Brian Evans - Postfix List wrote:
Nicolas KOWALSKI wrote:
The client said 'EHLO demisel.dyndns.org'.
This is the value that check_helo_access can find, though somewhat
unreliable to whitelist.
I apparently have no other choices to whitelist-before-rbl such a
dynamic pool's host.
On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
Brian Evans - Postfix List wrote:
Nicolas KOWALSKI wrote:
The client said 'EHLO demisel.dyndns.org'.
This is the value that check_helo_access can find, though somewhat
unreliable to whitelist.
I apparently have no
Nicolas KOWALSKI wrote:
On Mon, Aug 04, 2008 at 12:29:34PM -0400, Brian Evans - Postfix List wrote:
A *better* way is force them to Authenticate using SASL.
See http://www.postfix.org/SASL_README.html
Postfix supports either Cyrus or Dovecot SASL.
P.S. This is if you fully trust and
Policyd seems to have interesting features and it uses MySQL. I'll try
it here. Thank you.
I'm a Sys admin working here with FreeBSD, but I'm a Java developer
too, so after I was noticed that postfix checks use a single variable
(client, helo, sender, recipient), that I would not be able to do
On Wed, Jul 30, 2008 at 4:23 PM, mouss [EMAIL PROTECTED] wrote:
write a policy server (or use one that implements this). postfix checks use
a single variable (client, helo, sender, recipient). you can't mix things.
I'll try this way.
anyway, if you find yourself whitelisting many
If you want to control access with MySQL, try http://www.policy.org/
Wietse
101 - 166 of 166 matches
Mail list logo
