| Main Archive Page > Month Archives > postfix-users archives |
Re: perform check after authentication
From: Noel Jones <njones_at_nospam>Date: Wed Oct 19 2011 - 20:47:53 GMT
To: postfix-users@postfix.org
On 10/19/2011 3:30 PM, Daniel L. Miller wrote:
> On 10/19/2011 1:21 PM, Noel Jones wrote:
>> On 10/19/2011 3:06 PM, Daniel L. Miller wrote:
>>> How can I execute a policy service AFTER successful authentication
>>> or local sender verification?
>>>
>>
>> Have your policy service check for existence of sasl_sender or
>> sasl_username.
>>
> If I use that in smtpd_sender_restrictions - where would I place
> it? If I place it AFTER "permit_sasl_authenticated" - that would
> mean my policy service is never called? If I place it BEFORE that
> check, by the time smtpd_sender_restrictions is evaluated, are the
> sasl_sender/sasl_username fields filled?
the check_policy_service would need to be the first check in some
smtpd_*_restrictions section. Depending on what you're doing it may
or may not matter which section.
>
> Is simply having a non-empty sasl_sender/sasl_username confirmation
> of successful sasl authentication - so the policy service doesn't
> have to perform any validation of the value beyond non-empty? Would
> sasl_method also be a valid test?
None of the policy service sasl_* fields will be populated without
successful authentication.
> What about non-authenticated but valid local sender (via IP range).
> Would I do the check in smtpd_client_restrictions - and have the
> policy service test client_address? Is there a test I can use to
> have Postfix validate the IP - instead of duplicating the IP check?
While it might be possible to use a check_client_access table,
you're probably better off implementing your "authorized IP" tests
in your policy service.
-- Noel Jones