Robert Lopez wrote: > My understanding of client and sender are these: > Client: An application used to send, receive e-mail messages. > Sender: The from or sender "name" in the header that shows who (is > claimed to have) sent the email. > >
Indeed. > The context of the use that has me concerned are these: > smtpd_client_restrictions and smtpd_sender_restrictions > > I currently have these lines in main.cf: > > check_client_access=hash:/etc/postfix/access > smtpd_client_restrictions = > permit_mynetworks > hash:/etc/postfix/whitelist > This is depreciated syntax equivalent to "check_client_access hash:/etc/postfix/whitelist" > reject_rbl_client zen.spamhaus.org > reject_rbl_client bl.spamcop.net > reject_rbl_client dnsbl.njabl.org > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.4 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.5 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.6 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.7 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.8 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.9 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.10 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.11 > reject_rbl_client blackholes.five-ten-sg.com=127.0.0.13 > permit > > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/greylist > check_sender_access hash:/etc/postfix/sender_access > permit_mynetworks > reject_unknown_sender_domain > > To me the content of the sender_access hash makes sense if it contains > terms such as > luck...@yaha.com DISCARD > > Does it also work correctly if that same files also has terms such as > 64.94.244 DISCARD > where the intent is to block any of > 64.94.244.xxx > ? > > Right now that ip address example shown above (64.94.244) is in the > sender_access file (and the sender_access.db) but the log file shows > events such as this: > You are explicitly asking postfix to check a sender for the file hash:/etc/postfix/sender_access. This will never match an IP. > Based upon my understanding of the definitions of the terms I have > always been uncertain about putting ip blocks in the same file. I have > been told it has been working practice at this college for years > before I got here. I need to be certain we are doing the right things You may put check_client_access to point to the same map in order to check for an IP. This is discouraged as that map may be abused in the future. People love putting all their eggs in one basket. Abuse can occur if placed in recipient restriction before reject_unauth_destination with an OK result. The check_client_access can be placed in sender_restrictions if you like.
