On 10/02/2013 05:46 PM, List wrote:
I wonder if moving the
check_client_access and permit_sasl_authenticated below
reject_unauth_destination would help?
Moving 'check_client_access' below 'reject_unauth_destination'
prevents you from wildcards in 'check_client_access' which can make you
an open relay. Just best practice and not a must.
smtpd_recipient_restrictions =
#### Permit networks defined in /etc/postfix/mynetworks
permit_mynetworks
reject_unauth_destination
#### POP/IMAP before SMTP
check_client_access mysql:/etc/postfix/authb4smtp.cf
check_client_access cidr:/etc/postfix/access
#### Permit SASL authenticated
permit_sasl_authenticated
I'm wondering what 'permit_sasl_authenticated' effects? If you have
already rejected unauth destination. Keep in mind "Restrictions are
applied in the order as specified; the first restriction that matches wins".
Also I understand that smtp_client_restrictions is the first to be
evaluated, would it make sense to move the permit_sasl_authenticated
into this access restriction or not so much?
Do you mean 'smtpd_client_restrictions'?
Since 'reject_unauth_destination' is not allowed in
'smtpd_client_restrictions' you will need 'permit_sasl_authenticated' in
'smtpd_recipient_restrictions' too.
In general 'smtpd_client_restrictions' is not want you want. You don't
want client side authentication. You want authentication for sending
mails, I think.
Finally authenticated users via 'permit_sasl_authenticated' can avoid
'spam checking', 'policy, gray listing' as early as it is checked. But
that is only relevant for 'smtpd_relay_restrictions'
http://www.postfix.org/SMTPD_ACCESS_README.html
Manuel Bieling
