I want to Reject outgoing mails for spesific user so first i add a policy like that:
Name | Priority | Description | Disabled
__________________________________________________________________________
Not outgoing | 0 | Dont allow outgoing mails | no
And add a member to this policy:
Source | Destination | Disabled
___________________________________________________________
test2@mydomain.io | !%internal_domains | no
and add a new record to Access Control List:
Policy | Name | Verdict | Data | Disabled
______________________________________________________________________________________
Not outgoing | Reject Outbound | REJECT | No outbound mail allowed | no
On the other hand i have a Policy Group:
Name | Disabled
____________________________
internal_domains | no
and added it a member (it's my local domain):
Member | Disabled
____________________________
@mydomain.io | no
so after all this preparation i try to send an email to external mail address and expect the policyd is reject this mail, but result is being different. So check the postfix and policyd logs but i dont understand anything. Here is the postfix logs for one mail:
postfix | Feb 27 15:58:55 local postfix/smtpd[720]: connect from yartu_sync-engine_1.yartu_yartu-network[172.22.1.4]
postfix | Feb 27 15:58:55 local postfix/smtpd[720]: Anonymous TLS connection established from yartu_sync-engine_1.yartu_yartu-network[172.22.1.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix | Feb 27 15:58:55 local postfix/smtpd[720]: C368F381ABC: client=yartu_sync-engine_1.yartu_yartu-network[172.22.1.4], sasl_method=PLAIN, sasl_username=test2@local.yartu.io
postfix | Feb 27 15:58:55 local postfix/cleanup[724]: C368F381ABC: message-id=<1nznecl632etoauu6b1z6ku3r-0@mailer.nylas.com>
postfix | Feb 27 15:58:55 local postfix/qmgr[348]: C368F381ABC: from=<test2@local.yartu.io>, size=1075, nrcpt=1 (queue active)
postfix | Feb 27 15:58:55 local postfix/smtpd[720]: disconnect from yartu_sync-engine_1.yartu_yartu-network[172.22.1.4] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
postfix | Feb 27 15:58:59 local postfix/smtp[726]: Trusted TLS connection established to gmail-smtp-in.l.google.com[108.177.15.26]:25: TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)
postfix | Feb 27 15:59:00 local postfix/smtp[726]: C368F381ABC: replace: header Received: from [172.22.1.4] (yartu_sync-engine_1.yartu_yartu: Received: from localhost (localhost [127.0.0.1]) (Authenticated sender: test2@local.yartu.io)??by local.yartu.io (Postcow) with ESMTPSA id C368F381ABC??for <zkry.akgul@gmail.com>; Wed, 27 Feb 2019 15:58:55 +0300 (+03)
postfix | Feb 27 15:59:00 local postfix/smtp[726]: C368F381ABC: to=<zkry.akgul@gmail.com>, relay=gmail-smtp-in.l.google.com[108.177.15.26]:25, delay=4.7, delays=0.15/0.03/4/0.51, dsn=2.0.0, status=sent (250 2.0.0 OK 1551272340 y14si8903503wru.408 - gsmtp)
postfix | Feb 27 15:59:00 local postfix/qmgr[348]: C368F381ABC: removed
And policyd logs:
policyd | [2019/02/27-12:52:34 - 41] [CORE] INFO: Starting "1" children
policyd | 2019-02-27 12:52:34,379 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:52:34 - 41] [CORE] INFO: Starting "1" children
policyd |
policyd | 2019-02-27 12:52:34,379 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:52:34 - 243] [CORE] INFO: 2019/02/27-12:52:34 CONNECT TCP Peer: "[172.22.1.17]:33264" Local: "[172.22.1.200]:10031"
policyd |
policyd | [2019/02/27-12:52:34 - 243] [CORE] INFO: 2019/02/27-12:52:34 CONNECT TCP Peer: "[172.22.1.17]:33264" Local: "[172.22.1.200]:10031"
policyd | [2019/02/27-12:52:34 - 252] [CORE] DEBUG: Child Preforked (252)
policyd | 2019-02-27 12:52:34,380 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:52:34 - 252] [CORE] DEBUG: Child Preforked (252)
policyd |
policyd | [2019/02/27-12:52:34 - 252] [CBPOLICYD] DEBUG: Starting up caching engine
policyd | 2019-02-27 12:52:34,380 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:52:34 - 252] [CBPOLICYD] DEBUG: Starting up caching engine
policyd |
policyd | [2019/02/27-12:53:01 - 73] [CORE] INFO: 2019/02/27-12:53:01 CONNECT TCP Peer: "[172.22.1.17]:33654" Local: "[172.22.1.200]:10031"
policyd | 2019-02-27 12:53:01,599 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:53:01 - 73] [CORE] INFO: 2019/02/27-12:53:01 CONNECT TCP Peer: "[172.22.1.17]:33654" Local: "[172.22.1.200]:10031"
policyd |
policyd | [2019/02/27-12:53:31 - 41] [CORE] INFO: Killing "1" children
policyd | 2019-02-27 12:53:31,635 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:53:31 - 41] [CORE] INFO: Killing "1" children
policyd |
policyd | [2019/02/27-12:53:31 - 252] [CBPOLICYD] DEBUG: Shutting down caching engine (252)
policyd | 2019-02-27 12:53:31,636 DEBG 'cbpolicyd' stderr output:
policyd | [2019/02/27-12:53:31 - 252] [CBPOLICYD] DEBUG: Shutting down caching engine (252)
And here is my postfix main.cf(172.22.1.200 is policyd's ip address):
...
smtpd_recipient_restrictions = check_policy_service inet:172.22.1.200:10031, permit_mynetworks, permit_sasl_authenticated, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
...
and master.cf:
...
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
policy-spf unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
# start zeyple
zeyple unix - n n - - pipe
user=zeyple argv=/usr/local/bin/zeyple.py ${recipient}
127.0.0.1:10026 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
# end zeyple
...
Where am i wrong?