On 22/2/2012 1:31 πμ, mouss wrote:
it is safer to use smtpd_sender/helo/client_restrictions instead of
smtpd_recipient_restrictions:
smtpd_sender_restrictions =
check_recipient_access hash:/etc/postfix/protected_users,
...
this way, errors in your checks or maps won't break the functionality of
reject_unauth_destination, which is there to protect you (and us) from
being an open relay.
Thank you very much for the advice.
Some clarifications, please:
You mean that an error entry in the maps might be such that it would
allow - under certain circumstances - an undesired "ACCEPT" which would
bypass reject_unauth_destination (due to the resulting stop in the
evaluation of the rest of the statements in the
smtpd_recipient_restrictions directive)? Or is it possible that an error
in the maps might cause the whole smtpd_recipient_restrictions directive
to become inoperable?
Also a documentation one: If the very same restriction can be equally
well placed either within smtpd_recipient_restrictions or
smtpd_sender_restrictions, yet it is better to be placed within the
latter, wouldn't it be useful to mention this in the associated examples
in the relevant documentation page
(http://www.postfix.org/RESTRICTION_CLASS_README.html) which we usually
use as a reference? Are there any other important differences between
the two approaches?
Thanks again,
Nick
