Noel Jones:
> On 10/18/2013 1:47 PM, Viktor Dukhovni wrote:
> > On Fri, Oct 18, 2013 at 01:24:09PM -0500, Noel Jones wrote:
> >
> >>> smtpd_recipient_restrictions = reject_unlisted_recipient,
> >>> reject_unknown_recipient_domain, check_recipient_access
> >>> hash:/etc/postfix-internal/recipient_access,
> >>> permit_sasl_authenticated, permit_mynetworks, reject
> >>
> >> The only way an unauthenticated, not-mynetworks client can make it
> >> through the above is if the check_recipient_access map returns OK.
> >> Otherwise they get a generic 550 "Access denied" from the final reject.
> >>
> >> You have a lurking open relay problem, but are saved by the
> >> smtpd_relay_restrictions safety net. Fix the problem before it gets
> >> to the safety net.
> >
> > No. Rather, smtpd_relay_restrictions is evaluated (as documented)
> > before smtpd_recipient_restrictions.
>
> My apologies. I thought it was after.
It may not be obvious enough. I think I chose this particular order
so that smtpd_recipient_restrictions could focus entirely on spam
blocking, and would not have to worry about mail relaying.
Wietse
