RE: Relay restrictions

Mon, 10 Jan 2011 11:11:06 -0800 

I've been poring over this email for five days now, and just can't wrap my mind 
around what Viktor's example configuration is doing. I understand what he 
*says* it's doing, but I can't look at the configuration and "see" it. Can 
someone explain?

Specifically, I don't see where the "AND" and "OR" parts of the restrictions 
evaluation are stated or implied.

Also, what does the "catchall" in allowed-hosts do?

        0.0.0.0/0 discard_all, permit

It seems to me it would discard everything that isn't explicitly allowed in the 
lines above it, regardless of the sender/recipient restrictions defined in 
main.cf. Where am I going wrong here?


-----Original Message-----
From: Victor Duchovni [mailto:victor.ducho...@morganstanley.com] 
Sent: Friday, December 31, 2010 12:56 PM
To: Larsen, Michael W.
Cc: postfix-users@postfix.org
Subject: Re: Relay restrictions

On Fri, Dec 31, 2010 at 12:52:04PM -0600, michael.lar...@wellsfargo.com wrote:

> Thanks for your reply. How does this configuration determine if all
> mail from a client should be relayed, or only the mail allowed by the
> allowed-sender/allowed-recipient rules? There are some hosts I don't
> want subjected to those rules.

Clients that are listed in the CIDR table (above the 0.0.0.0/0 catchall
at the bottom of the file) with a "permit" action, can do as they please.

At your request, this configuration never rejects mail, if the sender
and recipient are both "special" mail is relayed from any client. Otherwise,
mail is discarded if it is not from a specifically authorized client.

> > In that case change the client restrictions to "OR", but keep sender
> > and recipient as "AND".
> > 
> >     main.cf:
> > 
> >     indexed = ${default_database_type}:${config_directory}/
> >     cidr = cidr:${config_directory}/
> > 
> >     smtpd_restriction_classes = discard_all
> >     discard_all = static:discard
> > 
> >     smtpd_sender_restrictions =
> >         check_sender_access ${indexed}allowed-senders
> >         check_client_access ${cidr}allowed-clients,
> > 
> >     smtpd_recipient_restrictions =
> >         check_recipient_access ${indexed}allowed-recipients,
> >         check_client_access ${cidr}allowed-clients,
> >             #
> >             # Required to appease validation logic, in-practice,
> >             # allowed-clients will perimit all IPs, some to deliver
> >             # and the rest to discard.
> >             #
> >         reject
> > 
> >     allowed-clients:
> >             192.0.2.1       permit
> >     0.0.0.0/0       discard_all, permit
> 
> -- 
>       Viktor.
> 

-- 
        Viktor.

Reply via email to