mouss put forth on 12/17/2009 7:40 AM: > No. maybe did you remove a firewall block? postfix does rdns check for > all connections (unless you disable that) so you should see the warnings > however you order your smtpd checks.
No firewall changes. I did recently switch my dns resolvers to the new Google resolvers, but that was a few days before redoing my smtpd_foo_restrictions. I didn't notice all these warnings before the smtpd_foo_restrictions changes. That doesn't necessarily mean these warnings aren't due to using the Google resolvers. I could switch back to my ISP's resolvers if you think that would be prudent to test. > 'postconf -n' reoders _variables_, not values. and anyway, 'postconf -n' > is what postfix uses, whatever you write in main.cf. so always use > 'postconf -n' when troubleshooting or when posting to the list. the > alphabetic order makes it easy for us to search for the variables we > need to check (quickly finding problems/explanations). Ahh, ok. Got it. > there's one caveat though. 'postconf -n' doesn't show non built-in > variables, such as the value of the classes you defined under > smtpd_restriction_classes. for these, you need to post them from main.cf > (if applicable/needed). Understood. I am defining a custom variable, which I'm sure you saw. You may be the person who suggested it to me in the first place. I can't recall who exactly it was... >> I have two spam trap addresses in my whitelist. I want all mail to >> those addresses sent on through. If I move reject_non_fqdn_sender up >> before the whitelist checks, I will potentially reject some spam >> destined to the traps, no? > > yes. > >> In this case, is it better to leave this check where it is? > > yes. Agreed. >>> you can consider this start: >>> >>> smtpd_recipient_retsrictions = >>> reject_non_fqdn_sender >>> reject_non_fqdn_recipient >>> permit_mynetworks >>> permit_sasl_authenticated >>> reject_unauth_destination >>> ... >> Is reject_non_fqdn_recipient cheaper than rejecting with >> reject_unlisted_recipient? > > these are different. if you don't reject non fqdn recipients, you will > get mail destined to <stan> (postfix will add @$myorigin). Haven't seen this yet. Probably because my other spam filters have killed the very few sent. I'll add it lower in the config though. > and sure reject_non_fqdn_* is cheap. it needs no map lookup. That's what I thought. Thanks for confirming. > I meant you can add check_*_access checks to whitelist some > clients/recipients/... before putting reject_invalid_helo_hostname and > other reject_* checks. > > but don't bother. it's what you are doing! I guess that means I'm doing something right. ;) I'll take that as a compliment, if that's ok. :) Thanks for the feedback mouss. -- Stan
