Re: Relaying problems

Wed, 11 Nov 2009 20:01:11 -0800 

Alex wrote:

Hi,

I hoped someone could clarify for me the difference between
check_sender_access and check_client_access? I don't know why the docs
are unclear to me.
Both restrictions look up something in an access table, and return a result. With check_client_access, the thing that is looked up is the client. By "client," the following is meant: 

  client hostname, parent domains, client IP address, or networks
  obtained by stripping least significant octets
With check_sender_access, the "sender" of the message is used as the lookup key. Again, multiple lookups are made: 

  MAIL FROM address, domain, parent domains, or localpart@



When is a sender_access restriction used and when is a client_access
restriction used? I thought the client_access was based on the
envelope information (MAIL FROM:), but I've read so much contradictory
information that I'm confused.


If you want to block the MAIL FROM address, use check_sender_access.



If I wanted to block mail from a specific remote user, as we normally
think of the "From:" field, it would go in client_access, I believe.
sender_access would be based on the RCPT TO: information, then?
Use check_sender_access to block email addresses, but beware that the envelope (MAIL FROM) sender often disagrees with the "From:" header. 



I'm not sure how the flow works; whether it's the client_access first
or sender_access, or vice-versa.
Normally, client information is available first, but if you're deferring rejection, you can place the restrictions in any order you wish. 



Below is my smtpd_recipient_restrictions again. Hopefully someone has
some ideas while I work on upgrading to a more recent version?

smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        permit_mynetworks
        check_client_access hash:/etc/postfix/pop-before-smtp
        reject_unauth_destination
        reject_invalid_hostname
        reject_non_fqdn_hostname
        reject_unknown_sender_domain
        # reject_unknown_recipient_domain
        # reject_unauth_pipelining
        check_client_access hash:/etc/postfix/client_checks
        check_client_access pcre:/etc/postfix/client_checks.pcre
        check_recipient_access pcre:/etc/postfix/recipient_checks
        check_helo_access hash:/etc/postfix/helo_checks
        check_sender_access hash:/etc/postfix/sender_checks
        check_sender_access hash:/etc/postfix/disallow_my_domain
        check_recipient_access pcre:/etc/postfix/recipient_checks.pcre


I'm guessing even v1.x required commas between restrictions?

Reply via email to