On 1/21/2011 8:12 PM, Jerrale G wrote:
...
reject_unauth_destination. Also, as an anti-openrelay
failsafe, you should put "OK 250 custom message here" instead
of "permit 250 custom message".
No, OK and permit are the same.
Technically, OK is an access map result, permit is a
smtpd_*_restrictions keyword. But they both do exactly the
same thing, which is skip to the next smtpd_*_restrictions
section.
And "permit text" doesn't work everywhere that "OK text"
works. And the optional numbers after OK or REJECT is an
RFC3463 enhanced response code in the format d.d.d, not a SMTP
reply like 250 or 550. Postfix automatically supplies an
appropriate enhanced response code, so don't make one up until
you read the docs.
http://tools.ietf.org/html/rfc3463
OK says to keep processing
other restrictions but override any header,hostname, or etc
checks in this class; permit would override everything,
causing open relay!
Nonsense, read the postfix docs.
Speaking of access lists, a question Mike Morris may also have
for 2.8, we tried putting postscreen_access_list =
permit_mynetworks, permit_sasl_authenticated but it doesn't
allow "permit_sasl_authenticated".
postscreen only works on the client IP, and operates before
client hostname lookup and before SASL authentication. Only
IPs or IP based tables can be used in the
postscreen_access_list entry.
As a general rule, your remote users should connect on the
submission or smtps port, and you shouldn't enable postscreen
there.
-- Noel Jones
