> HOLD always take place last, and only accepted mail is put on > HOLD. Since this server is for user submission and all mail > is either authenticated or rejected, it doesn't matter too > much where you put the hold.
Good to know. I probably asked the same question years ago, but this helps. > > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject > > Caution: if someone ever sets the non-standard > 'smtpd_delay_reject=no' the above line will reject connections > before the user has a chance to authenticate. In this case I > suggest removing smtpd_client_restrictions. I'll fix that. So I really only need permit_sasl_authenticated for smtpd_sender_restrictions then? > > > smtpd_recipient_restrictions = > permit_mynetworks,permit_sasl_authenticated,reject > > This line is sufficient to limit access to mynetworks and > authenticated users. > Do I even need this at all if I'm using smtpd_sender_restrictions since this is an outgoing only server? > > > > > > Incoming server: > > smtpd_recipient_restrictions = > > permit_mynetworks, > > reject_unknown_sender_domain, > > reject_unauth_destination, > > hash:/etc/postfix/custom/access,<-- this has some specific internal > blocks (reject some senders that spam our clients) > > hash:/etc/postfix/custom/postmaster,<-- postmaster@ accept, abuse@ > accept, etc > > The above two hash tables use deprecated syntax where > check_recipient_access is assumed. Far better to explicitly > state what the table is checking. > Good to know. This set of rules seems to get carried forward with upgrades over time. I'll tweak accordingly. > check_recipient_access hash:/etc/postfix/custom/access > check_recipient_access hash:/etc/postfix/custom/postmaster Postmaster is a static file, access gets updates dynamically based on rules from a central server, otherwise I would > Even better, combine the files into a single table to save > some memory. > > > > reject_non_fqdn_recipient, > > reject_unlisted_recipient, > > reject_unknown_sender_domain, > > no need to repeat this restriction. which restriction? > > > reject_invalid_hostname, > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net, > > reject_rbl_client rhsbl.ahbl.org, > > check_policy_service inet:10.0.40.4:21111,<-- sqlgrey > > reject_unauth_pipelining, > > hash:/etc/postfix/maps/hold > >
