From: (no name) (no email)
Date: Thu Feb 26 2004 - 20:06:11 EST
On Thu, 26 Feb 2004, Joe Hrbek wrote:
> > > Here is my complete recipient restriction config:
> > >
> > > smtpd_recipient_restrictions =
> > > permit_mynetworks,
> > > permit_sasl_authenticated,
> > > reject_non_fqdn_recipient,
> > > check_client_access mysql:/etc/postfix/mysql-domainlist.cf,
> > > reject_unknown_recipient_domain,
> > > reject_unauth_destination
> > >
> > > So you suggest moving reject_unauth_destination so that it's right after
> > > permit_sasl_authenticated?
> > >
> >
> > You seem to list some trusted clients (by domain name) via
> > mysql-domainlist.cf. While this is a fragile mechanism (temp DNS errors
> > lead to 5XX reject codes) that is not recommended (you are supposed to
> > permit clients by IP or authenticate them), if you are OK with using this,
> > you should leave the restrictions largely unchanged.
>
> Actually, the check_client_access is there to reject domains that I want to
> ban. There are no OKs there. It hits a mysql table that is maintained
> through a web interface. :) So, worst case scenario, if it fails, we just
> get more spam, nothing new there.
>
In that case put it after reject_unauth_destination, and delete
reject_unknown_recipient_domain or move it above the "permit_..." checks.
-- Viktor.
|
|
|