Hi,

On Wed, Dec 23, 2015 at 12:53 PM, Bill Cole
<postfixlists-070...@billmail.scconsult.com> wrote:
> On 21 Dec 2015, at 12:38, Alex wrote:
>
>> Perhaps the ordering of restrictions is not correct?
>>
>> smtpd_client_restrictions = permit_mynetworks,
>>  check_client_access hash:/etc/postfix/client_checks,
>>  check_reverse_client_hostname_access
>> pcre:/etc/postfix/fqrdns-042715a.pcre,
>>  check_reverse_client_hostname_access
>> pcre:/etc/postfix/reverse_client_hostname_access.pcre,
>>  check_client_access cidr:/etc/postfix/client_access_blocklist
>>
>> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
>>  reject_non_fqdn_sender,
>>  reject_unlisted_recipient,
>>  reject_unknown_recipient_domain,
>>  permit_mynetworks,
>>  reject_unauth_destination,
>>  reject_unknown_sender_domain,
>>  reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net,
>>  reject_rhsbl_sender mykey.dbl.dq.spamhaus.net,
>>  reject_rhsbl_helo mykey.dbl.dq.spamhaus.net
>>  check_helo_access pcre:/etc/postfix/helo_checks.pcre,
>>  check_helo_access hash:/etc/postfix/helo_checks,
>>  reject_non_fqdn_helo_hostname,
>>  reject_invalid_helo_hostname,
>>  check_policy_service inet:127.0.0.1:2501,
>>  check_recipient_access pcre:/etc/postfix/relay_recips_access,
>>  permit
>>
>> smtpd_sender_restrictions = permit_mynetworks,
>>  check_sender_access hash:/etc/postfix/sender_checks,
>>  check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
>>  reject_unknown_sender_domain
>
>
> It does not matter what order the various lists of restrictions have in
> main.cf, they are always evaluated in the same order:
> http://www.postfix.org/SMTPD_ACCESS_README.html#timing
>
> Each restriction list is evaluated independently but a REJECT or DEFER
> result from any list causes later lists to be skipped. Note that
> http://www.postfix.org/SMTPD_ACCESS_README.html#lists does not say OK/PERMIT
> from one list is carried forward to whitelist against restrictions in later
> lists *because it is not.*
>
> Individual restriction rules inside a list are evaluated in order, so the
> above applies your check_sender_access whitelist inside
> smtpd_sender_restrictions, protecting it from the
> reject_unknown_sender_domain in that list. This allows the message to
> proceed and be evaluated by the smtpd_recipient_restrictions list, which has
> its own reject_unknown_sender_domain. You can tell that this is what
> rejected your message by noting the log entry wording:
>
>> Dec 21 12:30:16 mail02 postfix/smtpd[1560]: NOQUEUE: reject: RCPT from
>> mailout.example.com[64.123.123.200]: 450 4.1.8
>> <u...@invalid.example.com>: Sender address rejected: Domain not found;
>> from=<u...@invalid.example.com> to=<notificat...@mydomain.com>
>> proto=ESMTP helo=<mailout.example.com>

Okay, I understand. So if the list wasn't also included in
smtpd_sender_restrictions, would it have been rejected there, due to
the reject_unknown_sender_domain at the end?

How can I get around the duplication? One of the reasons I separated
the restrictions was to avoid the problem of too permissive access.

Should I just expect to duplicate the check_*_access using the same
lists to solve this?

If it would be best to combine the restrictions, can you suggest how I
might do that?

Thanks again,
Alex

Reply via email to