Re: Sender access issues

Tue, 24 Feb 2015 17:36:07 -0800 

On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote:

> >> smtpd_recipient_restrictions =
> >> ----------------------------
> >>       ...
> >>       check_sender_access hash:/etc/postfix/sender_checks,
> >>       ------------------- -------------------------------
> >>       reject_unknown_sender_domain,
> >>       ----------------------------
> >>       ...
> >>       permit
> >>
> >> smtpd_sender_restrictions = reject_unknown_sender_domain
> >> -------------------------   ----------------------------

The problem was that you were checking in two places, but added an
exception in only one of them.

> These check_{client,sender}_access restrictions have been in the recipient
> restrictions section for a long time, without realizing I was doing it
> incorrectly.

It is not "incorrect", rather a matter of "style".  However:

> Instead, I've configured sender, client, and helo restrictions, as such, and
> removed them all from recipient restrictions:
> 
> smtpd_sender_restrictions =
>     check_sender_access hash:/etc/postfix/sender_checks
>     reject_unknown_sender_domain
> 
> smtpd_client_restrictions =
>      check_client_access hash:/etc/postfix/client_checks,
>      check_client_access cidr:/etc/postfix/client_access_blocklist
> 
> smtpd_helo_restrictions =
>      check_helo_access pcre:/etc/postfix/helo_checks.pcre,
>      check_helo_access hash:/etc/postfix/helo_checks
> 
> Does that now seem correct?

Maybe.  Depends whether any of these need exceptions for hosts
in mynetworks (previously in effect when they were part of the
recipient restrictions).

See http://www.postfix.org/postconf.5.html#smtpd_delay_reject

Some people find the "all in one approach" simpler.  With Postfix
2.10 or later (only), you're encouraged to move relay control into
"smtpd_relay_restrictions".  Otherwise depends on your needs and
which you find easier to work with.

Multiple top-level restriction classes make it possible to white
list some checks and not others (OK in one list of rules terminates
only that list of fules).  So that's more flexible, but can be more
complex.

I had proposed some time back generalizing the set of top-level
lists beyond just adding "smtpd_relay_restrictions", but there's
not been much interest in going beyond the current fixed quartet
of (client, helo, sender, recipient).

-- 
        Viktor.

Reply via email to