Dnia 26.01.2026 o godz. 08:49:45 Randy Bush via Postfix-users pisze:
> and my main.cf used to say
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> permit_auth_destination,
> # reject_unauth_destination is not needed here if the mail
> # relay policy is specified under smtpd_relay_restrictions
> # (available with Postfix 2.10 and later).
> reject_unauth_destination,
> reject_unknown_recipient_domain,
> reject_unverified_recipient
>
> yet mail to [email protected] was getting through to rspamd
>
> i think it was the ordering!! the following seems to work
>
> smtpd_recipient_restrictions =
> reject_unauth_destination,
> reject_unknown_recipient_domain,
> reject_unverified_recipient,
> permit_mynetworks,
> permit_auth_destination
I think "permit_auth_destination" is the problem here. The documentation
says the following:
permit_auth_destination
Permit the request when one of the following is true:
* Postfix is a mail forwarder: the resolved RCPT TO domain matches
$relay_domains or a subdomain thereof, and the address contains no
sender-specified routing (user@elsewhere@domain),
* Postfix is the final destination: the resolved RCPT TO domain
matches $mydestination, $inet_interfaces, $proxy_interfaces,
$virtual_alias_domains, or $virtual_mailbox_domains, and the address
contains no sender-specified routing (user@elsewhere@domain).
I guess the first condition is true in your case, ie. foo.com is in
relay_domains. So permit_auth_destination is evaluated, returns the
definitive result (PERMIT), and - as with any Postfix restriction lists -
all further rules are not processed, so it never gets to evaluating the
reject_unverified_recipient rule.
When you changed the ordering, reject_unverified_recipient is evaluated
first and returns the definitive result (REJECT), so does not proceed any
further. It actually never gets to evaluating permit_auth_destination, but
it's no problem in this case.
I guess it would probably work better for you to split the restrictions
between smtpd_relay_restrictions for forwarding (as indicated in the comment
in the configuration you posted) and smtpd_recipient_restrictions for final
delivery, instead of putting one long and possibly self-contradictory list
of checks into the latter. That's what different restriction lists are for.
See http://www.postfix.org/SMTPD_ACCESS_README.html
--
Regards,
Jaroslaw Rafa
[email protected]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
