From: Kyle Dent (no email)
Date: Tue Dec 02 2003 - 08:31:23 EST
On Mon, 1 Dec 2003, Tom Allison wrote:
> Kyle Dent wrote:
> > On Mon, 1 Dec 2003 wrote:
> >
> >
> >>I've got a question about using a database for the access table.
> >>
> >>The intention is to, by default, REJECT or DEFER email while using a
> >>database for keeping a list of 'OK' addresses.
> >>
> >>Is the answer this simple:
> >>
> >>smtpd_helo_restrictions = postgresql:/etc/postfix/sql_access.cf... reject
> >>smtpd_sender_restrictions = postgresql:/etc/postfix/sql_access.cf... reject
> >>
> >>and to put the 'OK' addresses into the database?
> >
> > Only if the question is 'How do I create an open relay?' :-) You
> > cannot allow relaying based on any client-supplied info (other
> > than IP address). Look into SASL authentication or one of the
> > before-POP solutions. See http://www.postfix.org/docs.html.
> >
>
> I don't see how this has anything to do with open relays.
> ...
> I currently have
> ---
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> smtpd_sasl_auth_enable = no
> smtpd_sender_restrictions = hash:/etc/postfix/access
> reject_unknown_sender_domain
>
> -----
> And was assuming that I could change the "hash:/etc/postfix/access"
> statement.
>
> Thinking about this further it might make sense to not have the access
> lookup on the HELO but only on the MAIL FROM (smtpd_sender_restrictions)
> portion of the UCE.
My apologies, looks like you're okay. It's a common impulse to
provide remote users relay access by whitelisting them based on
their sending addresses. It's also a common practice by some to
combine all restrictions into a single rule, which can create an
open relay if you whitelist sender addresses. Looks like you want
to permit certain addresses that would otherwise be rejected by
reject_unknown_sender_domain. You're okay as long as you keep
things ordered correctly. In your example, relay attempts will
still be rejected by your smtpd_recipient_restrictions rule.
Now I see that your question was more about using a relational
database instead of a Unix indexed file. Your PostgreSQL queries
must return exactly the same results as your hash tables do.
Which means that you need an OK value in your table. Test your
hash tables and PostgreSQL queries with postmap to make sure that
the results are identical.
> >
> >>Also, I didn't see many examples on the use of postgresql...
> >>Any suggestions on how best to use postgres for the database?
> >
> >
> > Works the same as MySQL if those examples help.
> >
>
> I should have been more specific.
> for a Berkely DB you use the term "hash"
> for MySQL you use the term "mysql"
> What do you use for postgres?
>
It's pgsql. See the PGSQL_README readme file.
Kyle
|
|
|