Re: Sender access issues

Tue, 24 Feb 2015 18:03:43 -0800 

Hi,


On 02/24/2015 08:34 PM, Viktor Dukhovni wrote:

On Tue, Feb 24, 2015 at 08:07:59PM -0500, Alex Regan wrote:


smtpd_recipient_restrictions =
----------------------------
       ...
       check_sender_access hash:/etc/postfix/sender_checks,
       ------------------- -------------------------------
       reject_unknown_sender_domain,
       ----------------------------
       ...
       permit

smtpd_sender_restrictions = reject_unknown_sender_domain
-------------------------   ----------------------------


The problem was that you were checking in two places, but added an
exception in only one of them.
So you're saying that if I didn't have the smtpd_sender_restrictions at all, it would have worked in recipient restrictions, correct? 


These check_{client,sender}_access restrictions have been in the recipient
restrictions section for a long time, without realizing I was doing it
incorrectly.


It is not "incorrect", rather a matter of "style".  However:


Instead, I've configured sender, client, and helo restrictions, as such, and
removed them all from recipient restrictions:

smtpd_sender_restrictions =
     check_sender_access hash:/etc/postfix/sender_checks
     reject_unknown_sender_domain

smtpd_client_restrictions =
      check_client_access hash:/etc/postfix/client_checks,
      check_client_access cidr:/etc/postfix/client_access_blocklist

smtpd_helo_restrictions =
      check_helo_access pcre:/etc/postfix/helo_checks.pcre,
      check_helo_access hash:/etc/postfix/helo_checks

Does that now seem correct?


Maybe.  Depends whether any of these need exceptions for hosts
in mynetworks (previously in effect when they were part of the
recipient restrictions).

See http://www.postfix.org/postconf.5.html#smtpd_delay_reject

Some people find the "all in one approach" simpler.  With Postfix
2.10 or later (only), you're encouraged to move relay control into
"smtpd_relay_restrictions".  Otherwise depends on your needs and
which you find easier to work with.
Now that I've separated it out, I believe I'll have an easier time of understanding it and maintaining it.
Hmm... Would you describe what my configuration would look like using the new relay restrictions? 

Thanks,
Alex

Reply via email to