Alex wrote:
Hi,
I hoped someone could clarify for me the difference between
check_sender_access and check_client_access? I don't know why the docs
are unclear to me.
Both restrictions look up something in an access table, and return a
result. With check_client_access, the thing that is looked up is the
client. By "client," the following is meant:
client hostname, parent domains, client IP address, or networks
obtained by stripping least significant octets
With check_sender_access, the "sender" of the message is used as the
lookup key. Again, multiple lookups are made:
MAIL FROM address, domain, parent domains, or localpart@
When is a sender_access restriction used and when is a client_access
restriction used? I thought the client_access was based on the
envelope information (MAIL FROM:), but I've read so much contradictory
information that I'm confused.
If you want to block the MAIL FROM address, use check_sender_access.
If I wanted to block mail from a specific remote user, as we normally
think of the "From:" field, it would go in client_access, I believe.
sender_access would be based on the RCPT TO: information, then?
Use check_sender_access to block email addresses, but beware that the
envelope (MAIL FROM) sender often disagrees with the "From:" header.
I'm not sure how the flow works; whether it's the client_access first
or sender_access, or vice-versa.
Normally, client information is available first, but if you're deferring
rejection, you can place the restrictions in any order you wish.
Below is my smtpd_recipient_restrictions again. Hopefully someone has
some ideas while I work on upgrading to a more recent version?
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unknown_sender_domain
# reject_unknown_recipient_domain
# reject_unauth_pipelining
check_client_access hash:/etc/postfix/client_checks
check_client_access pcre:/etc/postfix/client_checks.pcre
check_recipient_access pcre:/etc/postfix/recipient_checks
check_helo_access hash:/etc/postfix/helo_checks
check_sender_access hash:/etc/postfix/sender_checks
check_sender_access hash:/etc/postfix/disallow_my_domain
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
I'm guessing even v1.x required commas between restrictions?