Hi, On Wed, Dec 23, 2015 at 12:53 PM, Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote: > On 21 Dec 2015, at 12:38, Alex wrote: > >> Perhaps the ordering of restrictions is not correct? >> >> smtpd_client_restrictions = permit_mynetworks, >> check_client_access hash:/etc/postfix/client_checks, >> check_reverse_client_hostname_access >> pcre:/etc/postfix/fqrdns-042715a.pcre, >> check_reverse_client_hostname_access >> pcre:/etc/postfix/reverse_client_hostname_access.pcre, >> check_client_access cidr:/etc/postfix/client_access_blocklist >> >> smtpd_recipient_restrictions = reject_non_fqdn_recipient, >> reject_non_fqdn_sender, >> reject_unlisted_recipient, >> reject_unknown_recipient_domain, >> permit_mynetworks, >> reject_unauth_destination, >> reject_unknown_sender_domain, >> reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, >> reject_rhsbl_helo mykey.dbl.dq.spamhaus.net >> check_helo_access pcre:/etc/postfix/helo_checks.pcre, >> check_helo_access hash:/etc/postfix/helo_checks, >> reject_non_fqdn_helo_hostname, >> reject_invalid_helo_hostname, >> check_policy_service inet:127.0.0.1:2501, >> check_recipient_access pcre:/etc/postfix/relay_recips_access, >> permit >> >> smtpd_sender_restrictions = permit_mynetworks, >> check_sender_access hash:/etc/postfix/sender_checks, >> check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf >> reject_unknown_sender_domain > > > It does not matter what order the various lists of restrictions have in > main.cf, they are always evaluated in the same order: > http://www.postfix.org/SMTPD_ACCESS_README.html#timing > > Each restriction list is evaluated independently but a REJECT or DEFER > result from any list causes later lists to be skipped. Note that > http://www.postfix.org/SMTPD_ACCESS_README.html#lists does not say OK/PERMIT > from one list is carried forward to whitelist against restrictions in later > lists *because it is not.* > > Individual restriction rules inside a list are evaluated in order, so the > above applies your check_sender_access whitelist inside > smtpd_sender_restrictions, protecting it from the > reject_unknown_sender_domain in that list. This allows the message to > proceed and be evaluated by the smtpd_recipient_restrictions list, which has > its own reject_unknown_sender_domain. You can tell that this is what > rejected your message by noting the log entry wording: > >> Dec 21 12:30:16 mail02 postfix/smtpd[1560]: NOQUEUE: reject: RCPT from >> mailout.example.com[64.123.123.200]: 450 4.1.8 >> <u...@invalid.example.com>: Sender address rejected: Domain not found; >> from=<u...@invalid.example.com> to=<notificat...@mydomain.com> >> proto=ESMTP helo=<mailout.example.com>
Okay, I understand. So if the list wasn't also included in smtpd_sender_restrictions, would it have been rejected there, due to the reject_unknown_sender_domain at the end? How can I get around the duplication? One of the reasons I separated the restrictions was to avoid the problem of too permissive access. Should I just expect to duplicate the check_*_access using the same lists to solve this? If it would be best to combine the restrictions, can you suggest how I might do that? Thanks again, Alex