Dnia 12.08.2022 o godz. 11:08:14 Viktor Dukhovni pisze: > > But now it rejects everything... even connections from hosts that are in my > > "allowed" list... I have to investigate this again... :( > > Well, the client couldn't possibly be authenticated at connect time, > you need: > > -o smtpd_client_restrictions=$temp_client_block > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions=reject_plaintext_session > -o smtpd_recipient_restrictions= > -o smtpd_data_restrictions= > -o smtpd_end_of_data_restrictions= > -o smtpd_tls_security_level=encrypt
Thank you! I managed to cut it down to -o smtpd_client_restrictions=permit_mynetworks,$temp_client_block,reject -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_delay_reject=no and now it works as needed. The file referenced by $temp_client_block can be now simplified and contain only the allowed IP ranges outside mynetworks, and does not need to include the final REJECT for 0.0.0.0/0 (and the IP ranges can be listed with OK instead of DUNNO). "reject_plaintext_session" seems to be not needed as "-o smtpd_tls_security_level=encrypt" makes the server require STARTTLS before any other SMTP command can be issued. I don't have any HELO, data nor end of data restrictions so I don't need to specify empty ones, and I want to keep my recipient restrictions even for authenticated clients (they contain permit_sasl_authenticated pretty early, but the part before this should be applied even for mail submitted from authenticated clients, it rejects some local recipient addresses that should not receive mail). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
