(more info plz from Victor D.)Postini, Has bad idea for addingip numbers. This is sendmail example
in [Postfix]
|
Prev: Thread closed: Debian argument.. postfix hostname
Next: Convert access list to cidr but have some extra stuff. Can it gointo sender_access?
From: Josh Cason on 4 Jun 2010 14:37 I'm just a tad confused. I currently only have one check client access file. That is /etc/postfix/access. Do I need another check client access file with postini's ip range? As below I do have a senders access list. But I don't have a recipient access list because this is mysql under virtual. I was looking at a way to do a recipient access list with mysql and Postfixadmin. But I'm trying to keep any of the files like sender_access simple. you know one time change. Then leave it with maybe quarterly updates. my sender_access list. aol.com reject_unverified_sender hotmail.com reject_unverified_sender yahoo.com reject_unverified_sender gmail.com reject_unverified_sender bigfoot.com reject_unverified_sender apache(a)dolifrontend1.installs.com OK installs.com OK # Special restrictions on sender or recipient that # apply to Postini filtered traffic. Can't use IP # checks here, since you only ever see Postini IPs. # check_recipient_access ${indexed}rcpt-access, # check_sender_access ${indexed}sender-access, Thanks, Josh -- This message has been scanned for viruses and dangerous content by Mychoice, and is believed to be clean.
From: Victor Duchovni on 4 Jun 2010 14:14 On Fri, Jun 04, 2010 at 12:37:14PM -0600, Josh Cason wrote: > I'm just a tad confused. > > I currently only have one check client access file. That is > /etc/postfix/access. Do I need another check client access file with > postini's ip range? I recommended a CIDR access file, e.g.: # CIDR block Action 192.0.2.0/24 OK This does not need to be indexed with "postmap". CIDR tables are cached in memory. > As below I do have a senders access list. Fine. It is optional, I showed where you'd put one if you need it. > But I don't have a recipient > access list because this is mysql under virtual. It is optional. > # Special restrictions on sender or recipient that > # apply to Postini filtered traffic. Can't use IP > # checks here, since you only ever see Postini IPs. > # check_recipient_access ${indexed}rcpt-access, > # check_sender_access ${indexed}sender-access, As you see the optional checks were commented out... -- Viktor.
From: Charles Marcus on 4 Jun 2010 14:25
On 2010-06-04 2:37 PM, Josh Cason wrote: > my sender_access list. > > aol.com reject_unverified_sender > hotmail.com reject_unverified_sender > yahoo.com reject_unverified_sender > gmail.com reject_unverified_sender > bigfoot.com reject_unverified_sender > apache(a)dolifrontend1.installs.com OK > installs.com OK Aaaargh! Really bad idea. reject_unverified_sender should *only* be used for domains that you control, or have an agreement with the one controlling. Doing blanket reject_unverified_sender is a good way to get blacklisted, as most sysadmins consider it abuse. If you're server is really low volume, you might get away with it for a while, but it is a really bad idea regardless. -- Best regards, Charles |