On 4/7/2011 10:29 AM, Gábor Lénárt wrote:
Hi,
I have the idea to simply put "permit" at the end of
smtpd_recipient_restrictions. No, I don't want open relay :) but I do all
the checks to make it secure in sender_recipient_restrictions. Postfix
nicely wants to change my mind about this idea. So my question that:
is it safe to do what I want to do, _IF_ I am sure I did every possible
checks&rejects in sender_recipient_restrictions (or before)? I plan to use
permit_sasl_authenticated and reject in sender_recipient_restrictions.
Or should I repeat that step in sender_recipient_restrictions too then? I'm
using smtpd_delay_reject = no if it counts. Just I have the idea that using
permit_sasl_authenticated (and also some other checks like IP based relay
given by ldap map) here too makes overhead: why should I do the same steps
(and at every RCPT TO: given!) again what I've already done at a previous
stage of SMTP protocol? It's a mail submit server. I can't provide exact
configuration since I am about doing it right now, just I am curious about
your opinion on this issue.
I may use "check_recipient_access static:OK, reject" at the end of
smtpd_recipient_restrictions to trick postfix do not complain that I don't
want to use reject at the end of smtpd_recipient_restrictions :)
Thanks a lot in advance,
- Gábor
Use instead:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject
The overhead is negligible -- just check an internal status
flag, about the same as your fake table lookup -- and may save
you from an embarrassing accident.
-- Noel Jones
