KLaM Postmaster a écrit :
> I have just finished reading a bunch of stuff on UCE and the "effects"
> of the various parameters associated with the smtpd_*_restrictions, and
> I am now somewhat confused as two of the authors I have been reading
> state that if a message receives an "OK" from any check then all further
> checks are abandoned. This does not make any sense and I am fairly sure
> that they got it backward but both of them are adamant!
>
> This is/was my understanding, from reading the documentation and
> elsewhere.If a restriction check was successful (i.e., OK/DUNNO) then
> postfix moves on to the next check, if on the other hand the check was
> unsuccessful then the message is dropped and no further checks are done.
>
if a check returns OK, then postfix will skip all other checks in the
same smtpd_*_restrictions. if you want to continue to the following
checks, return DUNNO, not OK.
> e.g., if the following is the sequence in main.cf :
>
> smtpd_xxx_restrictions = reject_non_fdqn_hostname,
> reject_unknown_recipient_domain, reject_non_fdqn_recipient, (permit)
>
> then if the hostname is a fdqn, then postfix continues on to
> unknown_recipient, and if that is OK moves on to the non-fdqn_recipient
> ... until it runs out of check at which point he default (usually
> permit) is exercised.
reject_* never returns OK. so let's chose a better example:
smtpd_client_restrictions =
check_sender_access hash:/etc/postfix/access_sender
reject_non_fqdn_helo_hostname
if the check_sender_access returns OK, then postfix will move to
smtpd_helo_restrictions. it will skip the reject_non_fqdn_helo_hostname
check.
if the check_sender_access returns REJECT, postfix rejects the
connection and n more checks are performed.
if the check returns DUNNO, postfix continues to
"reject_non_fqnd_helo_hostname".
> if on the other hand the hostname is _not_ a fdqn the message is dropped
> and no further checks are performed under the xxx restrictions.
> Furthermore, if a message is dropped at say the client phase then checks
> in helo and subsequent phases are not performed.
>
yes.
