On 4/7/2011 11:00 AM, Gábor Lénárt wrote:
On Thu, Apr 07, 2011 at 10:40:28AM -0500, Noel Jones wrote:
[...]
Use instead:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject
The overhead is negligible -- just check an internal status flag,
about the same as your fake table lookup -- and may save you from an
embarrassing accident.
Yes, I have the same idea, however I need not only sasl authenticated users
to accept but some others too, "authenticated" by their IPs, and it involves
ldap, mysql and cidr tables too, since I have different systems (not my
choice!) to need to check. If I already check those at sender restricitons,
I guess it's safe to say that everything is OK. At the other hand, to be
"really safe and not so ugly" I would need to do these again at recipient
restrictions, which would need some measurable overhead anyway. Or maybe
not, and I am just too nervous about those "overhead" and "resources" :)
thanks for you answer,
- Gábor
Please ignore my previous answer -- you didn't supply complete
information rendering my advice incorrect.
Repeat your checks in smtpd_recipient_restrictions -- or even
better, move them. The cidr table access time will be
negligible if it contains less than a few thousand lines, and
you should be using proxy:ldap:... for your all your ldap
lookups, which will improve performance and scalability. See
the the proxymap documentation
http://www.postfix.org/proxymap.8.html
Using "smtpd_delay_reject = no" is not recommended. Don't do
that unless you have a full understanding of the implications
and are willing to suffer the consequences.
And pay attention to what Viktor and Wietse tell you.
-- Noel Jones
