On 2024-05-28 at 20:25:14 UTC-0400 (Wed, 29 May 2024 02:25:14 +0200)
John Fawcett via Postfix-users <j...@voipsupport.it>
is rumored to have said:
On 29/05/2024 01:11, Bill Cole via Postfix-users wrote:
On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200)
John Fawcett via Postfix-users <j...@voipsupport.it>
is rumored to have said:
[...]
Hi John
I think you are missing the following in master.cf for the
submission service
-o smtpd_delay_reject=no
Without that the smtpd_client_restrictions will not be evaluated
when the client connects and so you will allow the connected client
to try authentication.
That is not what is happening here. The order of restrictions within
the same restriction list matters, and Postfix is careful about
logic. If you put permit_sasl_authenticated ahead of
reject_rbl_client, the permit must be able to take effect without
evaluating the reject condition. That demands allowing as many AUTH
commands as your other config will allow to fail.
Hi Bill
You're right that the order matters and the reject_rbl_client should
be the first restriction in smtpd_client_restrictions for the
submission service. Actually it is probably the only one that is
really needed.
With all the flux and piecemeal configs posted, I'm not quite certain,
but you are likely correct.
I may be wrong but I don't believe that specifying
permit_sasl_authenticated influences behaviour in allowing AUTH
attempts. I believe it will just evaluate to permitting the access if
at the time of the evaluation the user is authenticated.
Based on what Viktor has posted since, which I consider authoritative,
you were right about needing smtpd_delay_reject=no and reject_rbl_client
in the client restrictions for rejection to happen before any AUTH
command can be tried.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
