On 3/10/2021 1:55 PM, JF Mezei wrote:
On 2021-03-10 13:58, Antonio Leding wrote:
I’ve been digging into restriction lists a bit more and grinding away
on the rationale between seperating restrictions across each of the
first four lists (CLIENT, HELO, SENDER, & RECIPIENT) vs. just placing
them all in RECIPIENT.
This is from my decade old config. As I recall, the order is important.
If it matches a line, then the permit or reject is applied and rest of
tests not processed. If it doesn't match a test, then it goes on to the
next one. So you can permit someone early when you know they would
otherwise fail the subsequent tests (such as poorly configured SMTP
server with no proper host name or reverse translation).
Clarification - The order of your rules within each
smtpd_*_restrictions section is important. Generally, first match
wins that section.
The order you list the sections themselves doesn't matter.
Also lumping it all into the "recipients restrictions", you delay
decisions until the process gets to DATA phase. This way, you give a
sender from a bad IP address a chance to authenticate or go through
whitelisting despite sending from a bad IP or poorly configured SMTP
server that would otherwise be blocked at HELO.
This is incorrect. With the default smtpd_delay_reject=yes, all
evaluations are performed after the client sends RCPT TO. It's not
uncommon for a client to interpret an "early" reject as a temporary
error and try again again again - especially if the reject happens
during the connect phase.
-- Noel Jones
