The Postfix delegated policy client can connect to a TCP socket
or to a UNIX-domain socket. Examples:
inet:127.0.0.1:9998
unix:/some/where/policy
unix:private/policy
The first example specifies that the policy server listens on
a TCP socket at 127.0.0.1 port 9998. The second example specifies
an absolute pathname of a UNIX-domain socket. The third example
specifies a pathname relative to the Postfix queue directory; use
this for policy servers that are spawned by the Postfix master
daemon.
To create a policy service that listens on a UNIX-domain socket
called "policy", and that runs under control of the Postfix
spawn(8)
daemon, you would use something like this:
1 /etc/postfix/
master.cf:
2 policy unix - n n - - spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/
main.cf:
6
smtpd_recipient_restrictions =
7 ...
8
reject_unauth_destination
9
check_policy_service unix:private/policy
10 ...
11 policy_time_limit = 3600
NOTES:
-
Lines 2, 11: the Postfix
spawn(8) daemon by default kills
its child process after 1000 seconds. This is too short for a
policy daemon that may run for as long as an SMTP client is connected
to an SMTP server process. The default time limit is overruled in
main.cf with an explicit "policy_time_limit" setting. The name of
the parameter is the name of the
master.cf entry ("policy")
concatenated with the "_time_limit" suffix.
-
Lines 8, 9: always specify "
check_policy_service" AFTER
"
reject_unauth_destination" or else your system could become an
open relay.
-
Solaris UNIX-domain sockets do not work reliably. Use
TCP sockets instead:
1 /etc/postfix/
master.cf:
2 127.0.0.1:9998 inet n n n - - spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/
main.cf:
6
smtpd_recipient_restrictions =
7 ...
8
reject_unauth_destination
9
check_policy_service inet:127.0.0.1:9998
10 ...
11 127.0.0.1:9998_time_limit = 3600
Other configuration parameters that control the client side of
the policy delegation protocol:
