James Feeney via Postfix-users:
> Hey Viktor
>
> On Sat, 2025-08-09 at 15:26 +1000, Viktor Dukhovni via Postfix-users wrote:
> > As expected, because with "smtpd_delay_reject = no", all checks that
> > require *future* data is not available at the time of evaluation are
> > skipped. Since with "smtpd_delay_reject = no" the client restrictions
> > are evaluate at connect (before issuing the SMTP server's banner),
> > it is *impossible* to evaluate SASL restrictions.
If you explicitly override the rule evaluation order with
"smtp_delay_reject=no", and you want to configure a condition on
AUTH credentials (or MAIL FROM address, or RCPT TO address), then
you need to configure that condition at or after the corresponding
protocol stage.
For example, smtp_helo_restrictions lists the possible conditions
for the HELO (EHLO) argument, and then says how information from
other protocol stages may be used:
Other restrictions that are valid in this context:
. Generic restrictions that can be used in any SMTP command con-
text, described under smtpd_client_restrictions.
. Client hostname or network address specific restrictions de-
scribed under smtpd_client_restrictions.
. SMTP command specific restrictions described under
smtpd_sender_restrictions orsmtpd_recipient_restrictions. When
sender or recipient restrictions are listed under smtpd_helo_re-
strictions, they have effect only with "smtpd_delay_reject =
yes", so that $smtpd_helo_restrictions is evaluated at the time
of the RCPT TO command.
Similar text exists for smtpd_sender_restrictions and so on.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
