On 2021-03-10 13:58, Antonio Leding wrote:
> I’ve been digging into restriction lists a bit more and grinding away
> on the rationale between seperating restrictions across each of the
> first four lists (CLIENT, HELO, SENDER, & RECIPIENT) vs. just placing
> them all in RECIPIENT.
This is from my decade old config. As I recall, the order is important.
If it matches a line, then the permit or reject is applied and rest of
tests not processed. If it doesn't match a test, then it goes on to the
next one. So you can permit someone early when you know they would
otherwise fail the subsequent tests (such as poorly configured SMTP
server with no proper host name or reverse translation).
Also lumping it all into the "recipients restrictions", you delay
decisions until the process gets to DATA phase. This way, you give a
sender from a bad IP address a chance to authenticate or go through
whitelisting despite sending from a bad IP or poorly configured SMTP
server that would otherwise be blocked at HELO.
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_client_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_sender_access regexp:/etc/postfix/whitelist_reg,
check_client_access cidr:/etc/postfix/rejectcidr,
reject_unknown_helo_hostname,
reject_unknown_reverse_client_hostname,
reject_non_fqdn_helo_hostname,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unauth_pipelining,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
permit
Disclaimer: this may have changed since that old version.
