On 3/10/2021 12:58 PM, Antonio Leding wrote:
Hello all,
I’ve been digging into restriction lists a bit more and grinding
away on the rationale between seperating restrictions across each of
the first four lists (CLIENT, HELO, SENDER, & RECIPIENT) vs. just
placing them all in RECIPIENT.
Let me also state that yes, I have read the SMTPD_ACCESS_README file
- several times in fact - and also spent a fair amount of time
researching this in the mail-list archives. My research & testing
has led me to understand that regardless of which list issues a
REJECT\DEFER, the result is the exact same — the message is denied.
There is no other implication related to the actual list that issued
the REJECT\DEFER.
Therefore, the only rationale I can find to place restrictions in
the separate lists is the following:
*
The lists, taken as a group, operate as an AND for PERMIT
purposes but an OR for REJECT\DEFER purposes.
*
Therefore, with restrictions in each of the 4 lists, allowed
messages must gather several PERMITs whereas denied messages
need only gather 1 REJECT\DEFER.
*
Placing all of the rules in only the RECIPIENT list changes this
model to become an OR for both PERMIT as well as REJECT\DEFER
purposes.
Did I get this correctly? Or am I horribly off-base and missing
something more relevant here?
Thanks in advance for your feedback…
Yes, the above is correct.
One consideration to either split your restrictions or combine them
in recipient checks is when making exceptions.
If you split your restrictions across all the sections, you can make
more complex rules by altering what is rejected or allowed in each
section. But exceptions must be listed in each section to get to the
final PERMIT.
OTOH if you list everything in smtpd_recipient_restrictions, you'll
probably only need to maintain one manual permit/reject access list.
-- Noel Jones