On 3/12/2013 2:44 PM, Christian Rößner wrote:
> Hi,
>
> today I upgraded to the new 2.10.0 version. I have read the RELEASE_NOTES and
> looked inside postconf-manpage.
>
> As I understood, the smtpd_relay_restrictions are evaluated before
> smtpd_recipient_restrictions. In the RELEASE_NOTES I can read that there are
> 3 possibilities to deal with the new option. I decided for the copy-part. So
> my current settings look like this:
>
> master.cf:
>
> 193.239.107.42:submission
> inet n - - - - smtpd
> -o syslog_name=postfix:587
> -o milter_macro_daemon_name=ORIGINATING
> -o smtpd_banner=${smtpd_submission_banner}
> -o myhostname=mail.roessner-net.de
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_cert_file=/etc/ssl/certs/mail.roessner-net.de.pem
> -o smtpd_tls_key_file=/etc/ssl/private/mail.roessner-net.de.key.pem
> -o smtpd_tls_CAfile=/etc/ssl/certs/SSL123_CA_Bundle.pem
> -o smtpd_tls_security_level=encrypt
> -o always_add_missing_headers=yes
> -o smtpd_relay_restrictions=${authenticated_smtpd_relay_restrictions}
> -o
> smtpd_recipient_restrictions=${authenticated_smtpd_recipient_restrictions}
> -o smtpd_reject_footer=
>
> And in main.cf I have the following:
>
> authenticated_smtpd_relay_restrictions =
> check_sender_access pcre:${map}/sender_access.pcre,
> check_recipient_access ${mapidx}/reject_srvint_net,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> reject_unauthenticated_sender_login_mismatch,
> reject_unauth_destination
>
> authenticated_smtpd_recipient_restrictions =
> check_sender_access pcre:${map}/sender_access.pcre,
> check_recipient_access ${mapidx}/reject_srvint_net,
> reject_non_fqdn_recipient,
> permit_sasl_authenticated,
> reject_unauthenticated_sender_login_mismatch,
> reject_unauth_destination
>
> So far this works, but it has duplicate stuff. So my question is: what can be
> removed in each block? The check_* rules do the following: 1.) Disallow two
> test-users from sending and 2.) Do not allow the srvint.net domain as sender
> domain. If I do all the tests in the smtpd_relay_restrictions, what will be
> left for the smtpd_recipient_restrictions?
The smtpd_relay_restrictions is intended for relay decisions
only[1]. In this case, that looks like it would be:
authenticated_smtpd_relay_restrictions =
permit_sasl_authenticated
reject_unauth_destination
(and I suggest plain old "reject", rather than
"reject_unauth_destination" on the submission service to prevent
outsiders from abusing it)
and those two directives could be removed from
smtpd_recipient_restrictions.
[1] of course, you can use smtpd_relay_restrictions -- or not use it
-- however you see fit; "relay decisions only" is more a guideline
than a rule. There are an endless variety of valid uses, and
equally valid to not use it at all.
-- Noel Jones
