On 11/7/2018 12:40 PM, Kai Schaetzl wrote: > Wietse Venema wrote on Wed, 7 Nov 2018 12:10:40 -0500 (EST): > >> HOWEVER, by default Postfix evaluates all of these at RCPT TO time. > > which means smtpd_delay_reject = yes is the default?
Yes, that's the default, and generally should not be changed. > > Am I correct in assuming that with "yes" it doesn't matter if I list the > client restrictions in smtpd_client_restrictions or in > smtpd_recipient_restrictions? > If so, does the order matter? > I mean it should matter in general, but if I mix different stages like > shown in my earlier mail like the following, is it still getting evaluated > in this order or getting reordered? See below for an exception I saw. Postfix always evaluates the smtpd_*_restrictions statements in the documented order; they are never reordered. Always client-helo-sender-recipient. This evaluation is by default delayed until the client sends the first recipient, but the order stays the same. Within each smtpd_*_restrictions section, the restrictions are checked in the order YOU specify. > > smtpd_recipient_restrictions = > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unlisted_recipient, > check_recipient_access hash:/etc/mail/allow_recipients, > check_sender_access hash:/etc/mail/allow_senders, > check_client_access hash:/etc/mail/allow_clients, > check_client_access hash:/etc/mail/access, > check_sender_access hash:/etc/mail/access, > and some more. This will evaluate in exactly the order you have listed above. They are never reordered. > > I'm asking because I've seen rejections by sender earlier, although > client_access should have hit first. An example: With the above list, check_sender_access comes first. Postfix does not reorder the list you have specified. > > Shouldn't the client restriction have kicked in here instead of sender? No, they are executed in the order you specify. > > Thanks, > > Kai > > -- Noel Jones
