Hi, On Mon, Dec 21, 2015 at 2:18 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 12/21/2015 12:13 PM, Alex wrote: >>> For hash: access tables, the correct line is (assuming the default >>> value of parent_domain_matches_subdomains): >>> >>> invalid.example.com OK >>> >>> See the access table documentation, pattern search order section for >>> details. >>> http://www.postfix.org/access.5.html >> >> I've been confused by that man page in the past, but I'm not sure >> that's the problem here. I actually had that in the file already, and >> it just stopped working about a week ago. I just added the >> sender_access file to smtpd_recipient_access and now it's working: >> >> smtpd_recipient_restrictions = >> reject_non_fqdn_recipient, >> check_sender_access hash:/etc/postfix/sender_checks, >> reject_non_fqdn_sender, >> reject_unlisted_recipient, >> reject_unknown_recipient_domain, >> permit_mynetworks, >> reject_unauth_destination, >> reject_unknown_sender_domain, >> >> I can't imagine that's the right way to do it, but don't understand >> why recipient_restrictions is consulted and generally why it's now >> working with the same pattern. >> >> Thanks, >> Alex >> > > > It's perfectly valid to do sender checks in > smtpd_recipient_restrictions. Many people put all their > restrictions in smtpd_recipient_restrictions to make whitelisting > easier and to have all the rules in one place. > http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions > see the part near the bottom about "other restrictions valid in this > context".
I initially had all the restrictions in smtpd_recipient_restrictions, but thought it made it more clear to separate them, and was also following someone's guidelines from this list. I thought it would be easier just for the way my thought process worked, but it sounds like there's much more overlap between restrictions than I thought. I don't think I realized that sender and helo restrictions could also be included with recipient restrictions. I still don't understand why the sender exclusion wasn't processed when it was listed in the smtpd_sender_restrictions, however. > Is this client listed in $mynetworks? If so, that's why it didn't > work before, and works now. No, it's not in $mynetworks. Besides, isn't it reject_non_fqdn_sender which blocked it, and comes before permit_mynetworks?
