Carlos Williams schrieb: > On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt > <ralf.hildebra...@charite.de> wrote: >> I would merge: >> >> smtpd_helo_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject_non_fqdn_helo_hostname, >> reject_invalid_helo_hostname >> >> smtpd_recipient_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject_unauth_pipelining, >> reject_non_fqdn_recipient, reject_unknown_recipient_domain, >> reject_unauth_destination, reject_unlisted_recipient, >> check_policy_service unix:postgrey/socket, check_sender_access >> hash:/etc/postfix/sender_access, >> check_helo_access pcre:/etc/postfix/helo_checks.pcre, >> reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net >> >> into: > > Thank you very much for your merge suggestion. I am reading your book > right now (page 70-72) and trying to understand the concept are the > merge suggestion. Would you mind explaining what benefit / performance > is attributed by merging all? > > Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my > main.cf or should I omit that completely since there are no variables > for this trigger? > > Thank you so much for your time and assistance!
For me it makes only sense to have seperate smtpd_helo and smtp_recipient restrictions if you set smtpd_delay_reject to no. If set yes the check will anyway be performed only when RCPT TO command is received. Furthermore at the time of HELO there is no SASL auth done yet. So this setting does nothing there. @Ralf would it not make more sense to place check_sender_access before the check_policy_service? Otherwise you might greylist senders you don't want (like maillists) Regards tobi
