Re: How to accept email from unknown servers

Thu, 05 Aug 2010 12:59:18 -0700 

On 8/5/2010 2:20 PM, Adam Lanier wrote:

On Thu, 2010-08-05 at 11:02 -0500, Noel Jones wrote:


You should remove your smtpd_client_restrictions and
smtpd_helo_restrictions (and smtpd_sender_restrictions if
you're using it) and put everything under smtpd_recipient
restrictions arranged like so:

smtpd_recipient_restrictions =
# allow local access
    permit_mynetworks
# reject relay attempts
    reject_unauth_destination
# client whitelist.  Whitelist CLIENTS here.  A client
# can be an IP or a domain name without leading dots.
    check_client_access hash:/etc/postfix/client_whitelist
# local recipient blacklist
    check_recipient_access
hash:/etc/postfix/denied-system-mailboxes
# all anti-spam restrictions go below here


Not to hijack this thread but can I ask a question regarding your
comment above?  You recommend keeping all client/helo restriction in the
smtpd_sender_restrictions.



smtpd_recipient_restrictions is what I wrote.




Is there any use case where the
smtpd_client_restrictions/smtpd_helo_restrictions would be preferred
over smtpd_sender_restrictions?  If not, why are they there?



It's easier to put everything in smtpd_recipient_restrictions, 
especially for non-expert users.



When you get into more complex rules -- something like permit 
only if A AND if B -- you may be able to do some things 
without resorting to restriction classes or a policy service. 
 But these applications are fairly rare.




I understand that with smtpd_delay_reject, evaluation of the status for
client/helo/sender restrictions will not happen until the RCPT TO
command anyway.  If you had checks in smtpd_client_restrictions wouldn't
they still be evaulated prior to checks in smtpd_recipient_restrictions?



This is more about helping the admin understand what postfix 
is doing rather than micro-managing the flow.



When everything is under smtpd_recipient_restrictions, it's a 
simple "first match wins" flow.




What's the advantage of having all checks in
smtpd_recipient_restrictions?



The biggest advantage occurs when you must use a whitelist. 
If you use the multiple smtpd_*_restrictions sections you need 
to make sure to use your whitelist in each section and 
understand the interaction between the sections.




Sorry, that's more than one question :/








  -- Noel Jones






















					Reply via email to