On 10/27/2013 4:30 PM, Nick Edwards wrote: > Following from Charles's thread, but, not directly related, did not > want to hijack it so I'll ask for clarification here. > > Having Seen Viktors statement about submission_*_restrictions = and > not putting all that crud into master.cf (yes, my bad too) > > If I use: > > > submission_client_restrictions = > check_client_access hash:/etc/postfix/submission.hosts
Typically this first line is all that would be used here to reject unwanted clients. > permit_mynetworks > permit_sasl_authenticated > reject These 3 lines are not needed in the client restrictions. > > to stop those fools at inkedin and anybody else who wants to try > invade privacy, violate privacy laws of certain countries etc etc.. > > now we also have used previously to 15 minutes ago :) in master.cf now > moving to main.cf > > submission_recipient_restrictions = > reject_unknown_recipient_domain > permit_mynetworks > permit_sasl_authenticated > reject This is good. Caution when using reject_unknown_recipient_domain here. Some desktop mail software reacts badly to rejected mail, such as continually retrying, confusing error messages, etc. Just be aware... > > This looks duplication, so can this be simplified? by > submission_recipient_restrictions = > reject_unknown_recipient_domain This would be OK in postfix 2.10 or newer, which has a separate smtpd_relay_restrictions to prevent unauthorized relaying. In previous postfix versions, smtpd_recipient_restrictions must end in a restriction that defaults to "reject" to prevent unauthorized relaying. I would suggest leave it as it is. > > or can we add reject_unknown_recipient_domain into client_restriction > and forget the submission recipi.... altogether? It's OK to move the reject_unknown_recipient_domain into submission_client_restrictions. But you'll still need smtpd_recipient_restrictions as explained above. -- Noel Jones
