On 21 Dec 2017, at 18:06 (-0500), Doe wrote:
In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?
Both, although you can exempt authenticated senders from restrictions as Wietse described.
HOWEVER, modern standard practice (defined by RFC2476, RFC4409, and RFC6409) is to segregate initial message submission by authenticated users from the mail coming in from the world at large, running a distinct smtpd process listening on port 587 with mandatory authentication and overrides of the main.cf settings. Doing this allows you to disable authentication on the 'main' port 25 daemon and have entirely distinct restrictions for submission and inbound SMTP transport. If you read the documentation of the available restrictions in Postfix and the discussion of them in the archives of this list you can find multiple cases where a restriction that would be useful and safe for either inbound mail or initial submission is cautioned against because it is not safe to use for the other.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
