On Thu, Jan 14, 2021 at 11:40:34AM -0500, Wietse Venema wrote:
> > Unfortunately, smtpd_recipient_restrictions runs *before*
> > smtpd_relay_restrictions (in recent Postfix releases), and there was
> > some discussion of making that configurable, but I forget where that
> > ended up... I agree that one would naively expect the relay checks
> > to run first, and the current behaviour (though "safer" in some
> > sense) is surprising.
>
> We could gate this with "compatibility_level = 3.6" which is already
> being used for some TLS-related breaking changes.
>
> Strawman:
>
> smtpd_relay_before_recipient_restictions =
> ${ {$compatibility_level} <level {3.6} ? {no} : {yes} }
Yes, that seems quite reasonable.
Note to the reader, there is no typo there, the correct syntax is
as written above with "{$compatibility_level}" and not what you'd
typically see in shell scripts, etc. "${compatibility_level}".
The reason is that per postconf(5):
http://www.postfix.org/postconf.5.html
The expression "${name?{value1}:{value2}}" is replaced with "value1"
when "$name" is non-empty, and with "value2" when "$name" is empty.
The "{}" is required for "value1", optional for "value2". The
parameter name must contain only characters from the set
[a-zA-Z0-9_]. This form is supported with Postfix versions >= 3.0.
The first item inside "${...}" may be a relational expression of the
form: "{value3} == {value4}". Besides the "==" (equality) operator
Postfix supports "!=" (inequality), "<", "<=", ">=", and ">". The
comparison is numerical when both operands are all digits, otherwise
the comparison is lexicographical. These forms are supported with
Postfix versions >= 3.0.
[ The HTML manpage displays unicode glyphs for "<=" and ">=", but these
are not supported in that form. ]
--
Viktor.
