From: Josh Cason on
I'm just a tad confused.

I currently only have one check client access file. That is
/etc/postfix/access. Do I need another check client access file with
postini's ip range?

As below I do have a senders access list. But I don't have a recipient
access list because this is mysql under virtual. I was looking at a
way to do a recipient access list with mysql and Postfixadmin. But I'm
trying to keep any of the files like sender_access simple. you know
one time change. Then leave it with maybe quarterly updates.

my sender_access list.

aol.com reject_unverified_sender
hotmail.com reject_unverified_sender
yahoo.com reject_unverified_sender
gmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
apache(a)dolifrontend1.installs.com OK
installs.com OK




# Special restrictions on sender or recipient that
# apply to Postini filtered traffic. Can't use IP
# checks here, since you only ever see Postini IPs.
# check_recipient_access ${indexed}rcpt-access,
# check_sender_access ${indexed}sender-access,


Thanks,

Josh



--
This message has been scanned for viruses and
dangerous content by Mychoice, and is
believed to be clean.

From: Victor Duchovni on
On Fri, Jun 04, 2010 at 12:37:14PM -0600, Josh Cason wrote:

> I'm just a tad confused.
>
> I currently only have one check client access file. That is
> /etc/postfix/access. Do I need another check client access file with
> postini's ip range?

I recommended a CIDR access file, e.g.:

# CIDR block Action
192.0.2.0/24 OK

This does not need to be indexed with "postmap". CIDR tables are
cached in memory.

> As below I do have a senders access list.

Fine. It is optional, I showed where you'd put one if you need it.

> But I don't have a recipient
> access list because this is mysql under virtual.

It is optional.

> # Special restrictions on sender or recipient that
> # apply to Postini filtered traffic. Can't use IP
> # checks here, since you only ever see Postini IPs.
> # check_recipient_access ${indexed}rcpt-access,
> # check_sender_access ${indexed}sender-access,

As you see the optional checks were commented out...

--
Viktor.

From: Charles Marcus on
On 2010-06-04 2:37 PM, Josh Cason wrote:
> my sender_access list.
>
> aol.com reject_unverified_sender
> hotmail.com reject_unverified_sender
> yahoo.com reject_unverified_sender
> gmail.com reject_unverified_sender
> bigfoot.com reject_unverified_sender
> apache(a)dolifrontend1.installs.com OK
> installs.com OK

Aaaargh! Really bad idea. reject_unverified_sender should *only* be used
for domains that you control, or have an agreement with the one
controlling. Doing blanket reject_unverified_sender is a good way to get
blacklisted, as most sysadmins consider it abuse.

If you're server is really low volume, you might get away with it for a
while, but it is a really bad idea regardless.

--

Best regards,

Charles