Wietse Venema wrote on Wed, 7 Nov 2018 12:10:40 -0500 (EST):
> HOWEVER, by default Postfix evaluates all of these at RCPT TO time.
which means smtpd_delay_reject = yes is the default?
Am I correct in assuming that with "yes" it doesn't matter if I list the
client restrictions in smtpd_client_restrictions or in
smtpd_recipient_restrictions?
If so, does the order matter?
I mean it should matter in general, but if I mix different stages like
shown in my earlier mail like the following, is it still getting evaluated
in this order or getting reordered? See below for an exception I saw.
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
check_recipient_access hash:/etc/mail/allow_recipients,
check_sender_access hash:/etc/mail/allow_senders,
check_client_access hash:/etc/mail/allow_clients,
check_client_access hash:/etc/mail/access,
check_sender_access hash:/etc/mail/access,
and some more.
I'm asking because I've seen rejections by sender earlier, although
client_access should have hit first. An example:
Nov 7 14:15:24 b04 postfix/smtpd[6584]: NOQUEUE: reject: RCPT from
mx17.a.outbound.createsend.com[203.55.21.17]: 554 5.7.1
<u...@cmail20.com>: Sender address rejected: Access denied;
from=<u...@cmail20.com> to=<u...@example.com> proto=ESMTP
helo=<mx17.a.outbound.createsend.com>
with this in /etc/mail/access
createsend.com REJECT
cmail20.com REJECT
and the exact same order of maps as above.
Shouldn't the client restriction have kicked in here instead of sender?
Thanks,
Kai
