Home / server / Questions / 502910
Accepted
golemwashere
Asked: 2013-04-27 06:19:22 +0800 CST

postfwd not rate limiting sasl users

  • 772

I would like to use postfwd version 2 to limit the amount of daily mail sent by my sasl authenticated users.

I installed latest tarball: postfwd-1.35 with latest postfix from Centos 6.4

In my I have only this rule

id=RULEZEROSASL
  sasl_username=~/^(\S+)$/
  action=rcpt(sasl_username/500/86400/REJECT only 500 recipients per day for $$sasl_username)

which should reject only mail with authenticated users (not mail from trusted mailservers).

My postfwd2 listens on tcp 10045 and in my postfix main.cf I have

# Restriction Classes
smtpd_restriction_classes       = postfwdcheck
postfwdcheck                    = check_policy_service inet:127.0.0.1:10045
127.0.0.1:10045_time_limit      = 3600

...

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        permit_tls_clientcerts
        reject_unauth_destination
        check_recipient_access  hash:/etc/postfix/access
        reject_invalid_helo_hostname
# postfwd con rate limiting
        check_policy_service inet:127.0.0.1:10045
        warn_if_reject reject_non_fqdn_helo_hostname
        warn_if_reject reject_unknown_helo_hostname
        warn_if_reject reject_unknown_client
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        warn_if_reject reject_unverified_sender
        reject_unverified_recipient
        reject_rbl_client zen.spamhaus.org
        permit

in /etc/postfix/policy

.   postfwdcheck

I see no rule matching entries in log and the command

postfwd2 -vv --dumpcache -f /etc/postfwd.cf

shows the request number

[STATS] postfwd2::policy 1.35: **5** requests since 0 days, 01:05:31 hours

increasing only for manual tests done with:

 nc 127.0.0.1 10045 <request.sample

Any idea why postfwd is not engaged by postfix?

postfix

2 Answers

  1. Best Answer

    Postfix restriction classes can return three answers, OK, REJECT or DUNNO, usually they have (OK, DUNNO) or (REJECT, DUNNO), because of the way that postfix functions. DENY and OK mean the rest of the checks are ignored, DUNNO means go on to the next check.

    So, in your case, permit_mynetworks or permit_sasl_authenticated are returning OK, so it does not check further under smtpd_recipient_restrictions, though you could place it in another restriction class which will then first have to return OK, for the mail to be forwarded.

    • 4

  2. You should not use "smtpd_recipient_restrictions" for a "action=rcpt(...)" as it needs to know the recipient_count attribute. From the man page:

     rcpt (<item>/<max>/<time>/<action>) 
   this command works similar to the rate() command with the difference,
   that the rate counter is increased by the request's recipient_count
   attribute. to do this reliably you should call postfwd from 
   smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want
   to be sure, you could check it within the ruleset:
      # recipient count limit 3 per hour per client
      id=RCPT01 ;  protocol_state==END-OF-MESSAGE ;  client_address!=10.1.1.1
         action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)

    So, if you use "check_policy_service inet:127.0.0.1:10045" in smtpd_data_restrictions instead, it will work. Hope so.

    • 1