 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Policy Service Default (was Re: Greylist question) |
| Group: | Postfix-users |
| From: | Noel Jones |
| Date: | 29 Nov 2007 |
> Noel Jones:
>> Wietse Venema wrote:
>>> Postfix has no grace for failing policy servers. If some has a
>>> reasonable user interface, something can be implemented.
>> some ideas that would blend with existing postfix user
>> interfaces...
>>
>> - a single global setting. This mimics the current milter
>> interface.
>> policy_service_default_action = {tempfail, dunno, reject}
>
> That's easy, but I'd use access map syntax in any case. It already
> provides a lot of functionality and we don't have to re-invent a
> new language.
>
> Likewise there could be policy_service_default_timeout.
>
>> - per-policy on-the-fly keyed on the master.cf service name
>> foo_policy_service_default_action = {tempfail, dunno, reject}
>
> Unfortunately, policy services don't have to run from master.cf so
> there is a bit of ambiguity what the prefix should be:
>
> inet:127.0.0.1:9998
> unix:/some/where/policy
> unix:private/policy
>
> Another option is to extend the check_policy_service syntax, perhaps
> like we did with RBLs (with "=stuff" appended).
>
> Not sure how that would extend to support per-service timeouts and
> other settings. We have to do similar things with Milters, and it
> would be nice if the policy and Milter mechanisms were not completely
> different.
>
>> Or something modeled after the current RBL reply feature:
>> a global policy_service_default_action and a lookup table
>> keyed on the service name
>> policy_service_default_action_maps = type:file
>> valid results would be the same as for access(5).
>
> A lookup table is a bit klunky but it could do the job. It would
> also work for per-milter configuration settings of timeouts and
> other features, when the lookup result is a string of name=value
> attributes separated by some delimiter.
>
>> or it might be more clear to use "fail" in the name, such as:
>> policy_service_fail_action
>> to signify this value is used only if the policy server fails.
>
> If it's a map, one might want to use it for other per-server
> features: timeouts, default reply, ...
>
> Wietse
OK, so a single global default action is easy, but limited
functionality. Please do this even if we can't find consensus
for a per-service interface. It seems a global default will
still be useful whatever per-service interface is used.
Given your comments, on-the-fly parameter names seem a little
distasteful. Maybe a lookup table keyed on the full "nexthop"
inet:... or unix:... would be the more natural per-service
interface.
If a structured response (fail=dunno, timeout=2s, ...) were
used for a multifunction table, could optional text be
included with actions? Quoted or just disallow the delimiter?
Maybe a good name for a multi-purpose table would be
policy_service_control_maps.
--
Noel Jones
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |