|Main Archive Page > Month Archives > postfix-users archives|
On 10/19/2011 3:30 PM, Daniel L. Miller wrote:
> On 10/19/2011 1:21 PM, Noel Jones wrote:
>> On 10/19/2011 3:06 PM, Daniel L. Miller wrote:
>>> How can I execute a policy service AFTER successful authentication
>>> or local sender verification?
>> Have your policy service check for existence of sasl_sender or
> If I use that in smtpd_sender_restrictions - where would I place
> it? If I place it AFTER "permit_sasl_authenticated" - that would
> mean my policy service is never called? If I place it BEFORE that
> check, by the time smtpd_sender_restrictions is evaluated, are the
> sasl_sender/sasl_username fields filled?
the check_policy_service would need to be the first check in some
smtpd_*_restrictions section. Depending on what you're doing it may
or may not matter which section.
> Is simply having a non-empty sasl_sender/sasl_username confirmation
> of successful sasl authentication - so the policy service doesn't
> have to perform any validation of the value beyond non-empty? Would
> sasl_method also be a valid test?
None of the policy service sasl_* fields will be populated without
> What about non-authenticated but valid local sender (via IP range).
> Would I do the check in smtpd_client_restrictions - and have the
> policy service test client_address? Is there a test I can use to
> have Postfix validate the IP - instead of duplicating the IP check?
While it might be possible to use a check_client_access table,
you're probably better off implementing your "authorized IP" tests
in your policy service.
-- Noel Jones