On Mon, Jul 29, 2013 at 4:13 AM, Wietse Venema <wie...@porcupine.org> wrote: > Jeffrey 'jf' Lim: >> On Mon, Jul 29, 2013 at 3:56 AM, Wietse Venema <wie...@porcupine.org> wrote: >> > Jeffrey 'jf' Lim: >> >> Am I misunderstanding something here, that setting >> >> 'smtpd_client_restrictions = reject_unauth_pipelining' should reject a >> >> client that sends the EHLO, or HELO before the smtp banner? >> >> (http://www.postfix.org/postconf.5.html#reject_unauth_pipelining: >> >> 'Reject the request when the client sends SMTP commands ahead of time >> >> where it is not allowed, ...') >> > >> > Current reject_unauth_pipelining implementations reject clients >> > that pipeline input that *follows* EHLO/HELO and later commands. >> > They don't reject clients that talk before Postfix greets them. >> > >> > To reject clients that talk before Postfix greets them, use >> > Postscreen's pregreet detection feature. >> > >> >> ok, thanks. How about my problems with setting 'smtpd_delay_reject = >> no'? It just seems that with it smtpd_delay_reject set to 'no', the >> rejection just isn't done (or detected?), for whatever reason. > > Allow me to repeat my reply above: > > Current reject_unauth_pipelining implementations [...] don't reject > clients that talk before Postfix greets them. > > To reject clients that talk before Postfix greets them, use > Postscreen's pregreet detection feature. >
Yes, I got that. I also highlighted another question/issue I have in the 2nd part of my question, where the pipelining occurs *after* ehlo/helo. In that case, smtpd_delay_reject set to 'no' does not work. Should that be expected behaviour? -jf
