On 2 November 2011 18:23, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 11/2/2011 2:33 PM, Simon Brereton wrote: > >>> The checks "above" permit_mynetworks and permit_sasl_authenticated >>> are checks you want applied to your networks and authenticated >>> users. Generally it's better to put those checks in >>> smtpd_sender_restrictions. >> >> But I thought the recommended best practice was >> to have it all in smtpd_recipient_restrictions.. :( > > That's a guideline, not a best practices -- big difference. > If you want to apply some restriction to ALL connections -- both > your own senders and outside mail -- it makes sense to put it in a > different section. > > And mostly applies to access tables (check_*_access) since those > must be handled carefully.
Finally, I get it (thanks Wietse and Jim).. I was confusing the binary (in most cases) action of check_*_access with the REJECT access of reject_* So, these should be fine anywhere be fine anywhere before reject_unauth_destination... reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, If I put them above mynetworks it applies to my networks too, but doesn't make me an open relay. And I put them above permit_sasl_auth then it applies to all connections (but the HELO ones would likely knock out any road-warriers (but they should be using the submission port anyway, right)? Thanks again for your patience and guidance. Simon