On 2 November 2011 18:23, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 11/2/2011 2:33 PM, Simon Brereton wrote:
>
>>> The checks "above" permit_mynetworks and permit_sasl_authenticated
>>> are checks you want applied to your networks and authenticated
>>> users. Generally it's better to put those checks in
>>> smtpd_sender_restrictions.
>>
>> But I thought the recommended best practice was
>> to have it all in smtpd_recipient_restrictions.. :(
>
> That's a guideline, not a best practices -- big difference.
> If you want to apply some restriction to ALL connections -- both
> your own senders and outside mail -- it makes sense to put it in a
> different section.
>
> And mostly applies to access tables (check_*_access) since those
> must be handled carefully.
Finally, I get it (thanks Wietse and Jim).. I was confusing the
binary (in most cases) action of check_*_access with the REJECT access
of reject_*
So, these should be fine anywhere be fine anywhere before
reject_unauth_destination...
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
If I put them above mynetworks it applies to my networks too, but
doesn't make me an open relay. And I put them above permit_sasl_auth
then it applies to all connections (but the HELO ones would likely
knock out any road-warriers (but they should be using the submission
port anyway, right)?
Thanks again for your patience and guidance.
Simon
