On Wed, Oct 02, 2013 at 10:46:12AM -0500, List wrote:
> One thing I noticed
> in the documentation regarding smtpd_recipient_restrictions (under "
> Dangerous use of smtpd_recipient_restrictions") is that recipient
> restrictions can result in too permissive access. I wonder if
> moving the check_client_access and permit_sasl_authenticated below
> reject_unauth_destination would help?
Don't.
>
> smtpd_recipient_restrictions =
> #### Permit networks defined in /etc/postfix/mynetworks
> permit_mynetworks
> reject_unauth_destination
> #### POP/IMAP before SMTP
> check_client_access mysql:/etc/postfix/authb4smtp.cf
> check_client_access cidr:/etc/postfix/access
> #### Permit SASL authenticated
> permit_sasl_authenticated
Too late, their outbound mail has already been rejected.
> Also I understand that smtp_client_restrictions is the first to be
> evaluated, would it make sense to move the permit_sasl_authenticated
> into this access restriction or not so much?
No. Take time to understand how Postfix restrictions work.
With Postfix 2.10 or later you can use "smtpd_relay_restrictions"
to avoid being an open relay, and do anti-spam control in the
various other restriction classes. Some duplication of permissive
controls is then inevitable, but you're no longer at risk of becoming
an open relay due to ordering problems.
--
Viktor.
