> Does postfix stop processing the restrictions as soon as a reject is > matched?
Yes and no. > In other words if I move my own ip and domain blacklist to the top does > postfix stop and reject as soon as a match is found? You have different smtpd_*_restrictions, each is an ordered list. All of the smtpd_*_restrictions ordered lists must give back a permit result or the mail is rejected. To have full control over the order, using one of these ordered lists, say smtpd_recipient_restrictions, and putting your checks in it allows you to control what happens when, and where your OKs are. Inside these ordered lists there are basically two types of files that can be checked against, a database or a regular expression. A database is matched in the order laid out in man 5 access, http://www.postfix.org/access.5.html which defines an order along the lines of domain.tld, net.work.addr.ess, net.work.addr, net.work, and lastly net. So in a database, if you were to lookup 192.168.8.4, and your map file looked like this: 192.168 REJECT 192.168.8.4 OK The OK would match 192.168.8.4 even though it is below the 192.168.8. This because in the order of operations, net.work.addr.ess has precedence over net.work. Regular expressions are a first match wins. So lets go back to 192.168.8.4. /192\.168/ REJECT /192\.168\.8\.4/ OK In this case, the REJECT takes precedence. So it seems that Regular Expressions are better because they offer you more control. But here is the down side. The Regular Expressions take more processor time, and tend to delay the reception of mail more. So you do not want to do everything in Regular Expressions. The balance is to do pure rejection lists where you do not need much control over the order of operations in database formats, and then do those few things were you need full control with Regular Expressions. --Eric
