I'm trying to set up a policyd server on Centos x64 (selinux disabled), which will allow me for limiting numer of messages incoming from different servers and (more important) outgoing from different user accounts. At the moment, i believe i have a working configuration for limiting incoming mail (for example, from google) but I cannot make postfix do same policy checks for internal and outgoing mail.
Here's the problem (at the moment i'm just trying to make postfix use the policy service at all)
I added following lines to main.cf
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, reject_unauth_destination
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
And disabled policyd (for testing)
When sending mail from other host (from gmail for ex) to this machine, in postfix logs there is an error that policyd server cannot be accessed
Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: connect from unknown[IP_ADDRESS]
Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: warning: connect to 127.0.0.1:10031: Connection refused
Sep 10 10:40:23 centosvbox1 postfix/smtpd[9378]: warning: problem talking to server 127.0.0.1:10031: Connection refused
Sep 10 10:40:24 centosvbox1 postfix/smtpd[9378]: warning: connect to 127.0.0.1:10031: Connection refused
Sep 10 10:40:24 centosvbox1 postfix/smtpd[9378]: warning: problem talking to server 127.0.0.1:10031: Connection refused
which means that postfix tries to access policyd server (which works as expected)
However, when i try to send mail from console (with mailx) to user root (local account) or somewhere else (gmail), no such lookups are made – mail just slides through, without even trying to access policyd
echo "ksfdhjksf" | mail -s "kjfhkjsfkjsfd" root
Sep 10 10:42:03 centosvbox1 postfix/cleanup[9386]: 9B606417D9: message-id=<20130910084203.9B606417D9@domain>
Sep 10 10:42:03 centosvbox1 postfix/qmgr[9342]: 9B606417D9: from=<root@domain>, size=458, nrcpt=1 (queue active)
Sep 10 10:42:03 centosvbox1 postfix/local[9388]: 9B606417D9: to=<root@domain>, orig_to=<root>, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Sep 10 10:42:03 centosvbox1 postfix/qmgr[9342]: 9B606417D9: removed
Which makes me wonder – why check_policy_service does not work? (i believe this is a postfix issue)
Anybody has any idea how to make policyd limit system users (for example webapp) in sending mails?
Best Answer
You defined the policy check in
smtpd_*_restrictions, therefore it will never be queried for mail generated locally, because this kind of mails is injected into the Postfix queue using thepickup(8)service. To circumvent this, you will need to modifymaster.cfand add acontent_filterinstance to thepickup(8)service (and of course, you will also need to add said content filtering instance, take a look at Content Filtering.FWIW, I don't think it's worth the effort to do this. Nobody should be able to generate local mail on a mail gateway, and is not the central mail gateway, then you are limiting in the wrong place, anyways.