I was hoping the Postfix version of smmapd would replace this for me, but it looks like that won't be happening soon. I've been using a postfix policy daemon to integrate with the current smmapd to perform quota checks. It has a few shortcomings: it does not support virtual domains as is, but I think that would be a minor modification, and IIRC, postfix does not pass the final username to the policy daemon if alias expansion occurs, however, for my uses, this catches nearly all cases of over quota mail. I have not had any problems with this, but I would appreciate feedback from anyone with more experience if you see any potential problems with the implementation, improvements, or know of a better way to reject mail for over quota accounts. -- Omni Flux
#!/usr/bin/perl -w # Postfix Policy Daemon for checking Cyrus Mailbox Quotas # Version: 0.02 # Author: Omni Flux # Most recent version is available at http://www.omniflux.com/devel/ # # Policy Daemon code based on postfix-policyd-spf by Meng Weng Wong # available at http://www.openspf.org/ use strict; use IO::Socket::UNIX; use Sys::Syslog qw(:DEFAULT setlogsock); use Text::Netstring qw(netstring_encode netstring_decode netstring_read netstring_verify); # ---------------------------------------------------------- # configuration # ---------------------------------------------------------- my $mydomain = 'example.tld'; # # Responses to postfix # my $default_response = 'DUNNO'; my $overquota_response = '552 5.2.2 Over quota'; # # Settings for conecting to the Cyrus smmap daemon # my $socket = "/var/run/cyrus/socket/smmap"; # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # my $syslog_socktype = 'unix'; my $syslog_facility = 'mail'; my $syslog_options = 'pid'; my $syslog_priority = 'info'; my $syslog_ident = 'postfix/policy-cyrquota'; # ---------------------------------------------------------- # minimal documentation # ---------------------------------------------------------- # # Usage: cyrquota-pf_policy.pl [-v] # # This policy server checks if a Cyrus mail account is over quota. # # This method does create a race condition as it is possible # for a message to pass this check while a message which will # push the account over quota is being delivered to cyrus, but # this should be correct in the majority of cases, and should # never incorrectly reject mail. # # This method will not catch overquota accounts if postfix # rewrites the address before performing local delivery # (aliases, virtual domains). # # This documentation assumes you have read Postfix's # README_FILES/SMTPD_POLICY_README # # Logging is sent to syslogd. # # To run this from /etc/postfix/master.cf: # # cyrquota-policy unix - n n - - spawn # user=nobody argv=/usr/bin/perl /usr/local/sbin/cyrquota-pf_policy.pl # # To use this from Postfix SMTPD, use in /etc/postfix/main.cf: # # smtpd_recipient_restrictions = # ... # reject_unlisted_recipient, # check_policy_service unix:private/cyrquota-policy, # permit_sasl_authenticated, # reject_unauth_destination # ... # # This policy should be included after reject_unlisted_recipient if used, # but before any permit rules or maps which return OK. # # To test this script by hand, execute: # # % perl cyrquota-pf_policy.pl # # Each query is a bunch of attributes. Order does not matter. # # request=smtpd_access_policy # recipient=bar@xxxxxxx # [empty line] # # The policy server script will answer in the same style, with an # attribute list followed by a empty line: # # action=dunno # [empty line] # ---------------------------------------------------------- # initialization # ---------------------------------------------------------- # # This process runs as a daemon, so it can't log to a terminal. Use # syslog so that people can actually see our messages. # setlogsock ($syslog_socktype); openlog ($syslog_ident, $syslog_options, $syslog_facility); # # Parse commandline. # my $verbose = 0; while (my $option = shift (@ARGV)) { if ($option eq '-v') { $verbose = 1; } else { fatal_exit ("Invalid option: $option. Usage: $0 [-v]"); } } # # Unbuffer standard output. # select ((select (STDOUT), $| = 1)[0]); # ---------------------------------------------------------- # main # ---------------------------------------------------------- # # Receive a bunch of attributes, evaluate the policy, send the result. # my $sock = IO::Socket::UNIX->new(Peer => $socket) or fatal_exit ("unable to connect to smmap daemon"); my %attr; while (<STDIN>) { chomp; if (/=/) { my ($k, $v) = split (/=/, $_, 2); $attr{$k} = $v; syslog (debug => "Attribute: %s=%s", $k, $v) if $verbose; next } elsif (length) { syslog (warning => sprintf ("warning: ignoring garbage: %.100s", $_)); next; } if ($attr{'request'} ne 'smtpd_access_policy') { fatal_exit ("unrecognized request type: '$attr{'request'}'") } my $action = $default_response; if (lc(rhs ($attr{'recipient'})) eq lc($mydomain)) { print $sock netstring_encode ("0 " . lhs ($attr{'recipient'})); my $result = netstring_read ($sock); if (!$result) { syslog (warning => "query error"); } elsif ($result eq "") { syslog (warning => "lost connection to smmsp daemon"); } else { if (netstring_verify($result)) { $result = netstring_decode($result); if ($result =~ /^(PERM|TEMP) Over quota$/) { $action = $overquota_response; } } else { syslog (warning => "error decoding smmsp response"); } } } else { syslog (debug => "Skipping external domain: %s", rhs ($attr{'recipient'})) if $verbose; } print STDOUT "action=$action\n\n"; %attr = (); } # ---------------------------------------------------------- # subroutines # ---------------------------------------------------------- # # Log an error and abort. # sub fatal_exit { syslog (err => "fatal_exit: @_"); die ("fatal: @_"); } sub lhs { my $string = shift; for ($string) { s/\@.*$//; } return $string; } sub rhs { my $string = shift; for ($string) { s/.*\@//; } return $string; }
---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html