I now have
smtpd_client_restrictions =
permit_mynetworks
permit_inet_interfaces
check_client_access hash:$config_directory/tables/smtpd_client_access
reject
smtpd_client_restrictions_katharion =
permit_mynetworks
permit_sasl_authenticated
check_client_access
hash:$config_directory/tables/smtpd_client_access_katharion
reject
The latter restricts an interface in master.cf to the relay servers of
an external spam-filtering service:
192.168.1.97:25 inet n - n - - smtpd
-o smtpd_client_restrictions=${smtpd_client_restrictions_katharion}
-o smtpd_recipient_restrictions=${smtpd_recipient_restrictions_katharion}
-o cleanup_service_name=cleanup_katharion
I was under the impression that `permit_inet_interfaces' in
smtpd_client_restrictions would've allowed requests coming *through*
the inet_interfaces (currently defined as 127.0.0.1, 192.168.1.99 –
still in the testing environment) but not from the additional
interface created in master.cf as 192.168.1.97. But apparently this is
not the case; apparently permit_inet_interfaces allows the request
when its IP matches that _of_ the interface, i.e. in this case
127.0.0.1 or 192.168.1.99. When would a request match one of those?
What, in other words, is the use for permit_inet_interfaces?
Since I'm interested in matching the remote clients, I think I need to
create a restriction like the smtpd_client_access_katharion, but in
reverse so that any other client is allowed on the "public" interface
but not one of the spam filtering service (though nobody is going to
violate that rule so it's a bit of a moot point).
Ville
