On 1/23/11 1:34 PM, IT geek 31 wrote:
On 23 January 2011 10:15, mouss<mo...@ml.netoyen.net> wrote:
Le 23/01/2011 03:45, IT geek 31 a écrit :
A recent poster asked for configuration to be checked, and it has made
me question my own sender and recipient restrictions:
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_sender_access hash:/usr/pkg/etc/postfix/sender_access,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/usr/pkg/etc/postfix/sender_access,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
check_policy_service inet:127.0.0.1:10023,
permit
Having looked at my recipient restrictions, I see that I am checking
my sender_access again. Is this right?
it works but is useless.
I think I remember why I put it in there. My sender_access files
primarily defines a list of friendly addresses which I do not want to
be policy checked. The idea is that if an address is found in this
list, it skips past any further checks.
Then you have to either repeat it in every restriction phase up to and
including the one that checks your policy service, or move all
restrictions to smtpd_recipient_restrictions and order them
appropriately there.
As the documentation explains, each stage in smtpd_mumble_restrictions
can only permit the checking to *proceed* to the next stage.
There is a difference between *SMTP* stages and restriction checking
stages, if smtpd_delay_reject = yes.
All stages are checked, but the data of the client, helo, sender and
recipient stages are available for checking at EVERY stage.
A REJECT, however, is final at every stage, *for the type of parameter
under consideration*.
If that last seems confusing - if you reject a recipient, the message
itself will not be rejected at that point.
Only if there are no more recipients, and none were accepted, is the
message as a whole rejected.
you can remove smtpd_sender_restrictions and put all your checks under
smtpd_recipient_restrictions, something like this
My understanding of postconf(5) is that smtpd_sender_restrictions
applies to the MAIL FROM command. For example I have an access file
which contains my two friends, Richard and Bill:
bill.clin...@whitehouse.gov OK
richard.ni...@whitehouse.gov REJECT
I also understand smtpd_recipient_restrictions applies to the RCPT TO
command. So if I remove that check from smtpd_sender_restrictions and
add it to smtpd_recipient_restrictions, then mails from Richard will
get through.
No, that is not what happens.
The restriction still applies to the stage of the actual check_*, but
the point at which a decision is made changes.
Take a message FROM joe@domain, TO jim@somewhere, with no other recipients.
If you REJECT mail FROM joe@domain before accepting (Permit or OK) mail
TO jim@somewhere, the message is rejected.
However, if you REJECT mail FROM joe@domain after accepting mail TO
jim@somewhere, IN THE SAME STAGE, the result of that stage is PERMIT.
The access lists could be identical; only the order of processing is
different.
--
J.
