> In my current main.cf, check_client_access > hash:/etc/postfix/mta_clients_bw.map is the 11th item listed under > smtpd_recipient_restrictions = > > Would moving it to the top reject MTA's (sooner) that I know I don't ever > want connecting? Would it cause any side effects? Or does postfix run > through the entire list of tests in smtpd_recipient_restrictions before > ok'ing or rejecting? > > Current: > smtpd_recipient_restrictions = > reject_unauth_pipelining, > reject_non_fqdn_sender, > reject_non_fqdn_recipient,
These are VERY fast conditional tests. > reject_unknown_recipient_domain, This is a DNS lookup, which I tend to do later due to DNS lookup timing. But there are reasons to do it early too. Hard to say the best place for it, but right after your hate list would not be bad at all. > hash:/etc/postfix/to_recipients_bw.map, Your whitelist. Why is it before reject_unauth_destination? > reject_unverified_sender, > reject_unverified_recipient, > reject_unknown_sender_domain, > permit_mynetworks, > reject_unauth_destination, This is your anti-spoofing test. This needs to be nearer to the top. In my experience, it should be right after the simple conditional tests, and right before any white lists. Be sure to move permit_mynetworks with reject_unauth_destination so that you can still send out email. > check_client_access hash:/etc/postfix/mta_clients_bw.map, Do you have any whitelisting in this file? If so, do it after the anti-spoofing reject_unauth_destination. Otherwise you may become a partial relay. Also it should be done after your postmaster@ whitelisting. That way if you block someone by accident they can notify you. I have another, separate client IP list for idiots that spam my postmaster@ address. I make more hostile blocks there. > pcre:/etc/postfix/to_recipients_bw.regexp, > etc. > etc. > > Proposed: See my notes above and think about it. I am sure Len will have some other comments. --Eric
