On Fri, Aug 08, 2025 at 10:22:30PM -0600, James Feeney via Postfix-users wrote:
> 3) In the postfix configuration, SASL will not even work when the > postfix "restrictions" otherwise fail. And those restrictions become > confusing with the statement in > https://www.postfix.org/SMTPD_ACCESS_README.html: ---- This is not entirely true, and is entirely unrelated to SASL... > Specifically, when using "-o > smtpd_client_restrictions=reject_unknown_client_hostname,permit_sasl_authenticated,reject", > the "sasl authentication" will never happen, and access will fail > immediately with "reject", *except* when using the default > "smtpd_delay_reject = yes". As expected, because with "smtpd_delay_reject = no", all checks that require *future* data is not available at the time of evaluation are skipped. Since with "smtpd_delay_reject = no" the client restrictions are evaluate at connect (before issuing the SMTP server's banner), it is *impossible* to evaluate SASL restrictions. This is NOT in any way specific to SASL, the same applies to: # This has unavoidable semantic consequences beyond mere timing... # smtpd_delay_reject = no # Pointless, all the checks are premature and ignored. # Only the client IP address, rDNS name, and FCrDNS name are known. # smtpd_client_restrictions = check_sender_access inline:{{[email protected] = reject}}, permit_sasl_authenticated, reject_unauth_destination # Pointless, all the checks are premature and ignored. # In addition to the above, only the client helo name is known. # smtpd_helo_restrictions = permit_sasl_authenticated, check_sender_access inline:{{[email protected] = reject}}, reject_unauth_destination The solution for "permit_sasl_authenticated" is to evaluate it in the sender restrictions or later, with "smtpd_delay_reject = no", both the client and helo restrictions are too early for what should be obvious reasons. -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
