Re: smtpd_relay_restrictions, non-production version

Mon, 01 Oct 2012 11:39:27 -0700 

Wietse Venema:
> I've uploaded a non-production release with smtpd_relay_restrictions
> support. For a preview of the documentation, see:
> 
> http://www.porcupine.org/postfix-mirror/SMTPD_ACCESS_README.html
> http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_relay_restrictions
> http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_recipient_restrictions
> 
> This being a critical feature, I have put in multiple safety nets
> to ensure compatibility for sites that upgrade. The text below is
> taken from the RELEASE_NOTES file.

I have uploaded postfix-2.10-20121001-nonprod.

This updates the remainder of the documentation, and adds a new
"defer_unauth_destination" feature, to improve the error message
from the "forward compatibility" safety net.

        Wietse

[text from RELEASE_NOTES]

This version introduces the smtpd_relay_restrictions feature
for mail relay control. The built-in default value is:

    smtpd_relay_restrictions = 
        permit_mynetworks 
        permit_sasl_authenticated 
        reject_unauth_destination

With Postfix versions before 2.10, the rules for relay permission
and spam blocking were often intermingled under
smtpd_recipient_restrictions, resulting in error-prone configuration.

As of Postfix 2.10, relay permission rules are preferably implemented
with smtpd_relay_restrictions, so that a permissive spam blocking
policy under smtpd_recipient_restrictions will no longer result in
a permissive mail relay policy.

As usual, this new feature is introduced with safety nets to prevent
surprises when a site upgrades from an earlier Postfix release.

1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
    procedure adds an explicit smtpd_relay_restrictions entry to
    main.cf when there is none:

    smtpd_relay_restrictions = 
        permit_mynetworks 
        permit_sasl_authenticated 
        defer_unauth_destination

    If your site has a complex mail relay policy configured under
    smtpd_recipient_restrictions, this safety net will defer mail
    that the built-in smtpd_relay_restrictions setting would bounce.
    To fix, either set smtpd_relay_restrictions empty, or copy the
    relay authorization policy from smtpd_recipient_restrictions
    to smtpd_relay_restrictions.

    Otherwise, setting smtpd_relay_restrictions by hand to the
    default policy will suffice.

2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
    Postfix versions before 2.10 can set smtpd_relay_restrictions
    to the empty value, and use smtpd_recipient_restrictions exactly
    as they used it before.

Reply via email to