Re: Comprehension question on smtpd_*_restrictions and access tables

From: Noel Jones (no email)
Date: Thu Feb 01 2007 - 13:35:00 EST

  • Next message: Wietse Venema: "Re: feature request: timeouts in smtpd"

    At 06:58 AM 2/1/2007, Kai Fürstenberg wrote:
    >But what about the "OK"-action in access tables? I always heard (and
    >read) that, when a restriction receives an OK from an access table,
    >the mail is accepted.

    The mail skips from that smtpd_*_restrictions section to the next,
    the sections are always evaluated in the order documented regardless
    of the order in main.cf. Within each section, restrictions are
    evaluated in the order listed. The default empty value for
    smtpd_{client, helo, sender, data, end_of_data}_restrictions is
    morally equivalent to "permit". One can put just "permit" in each of
    these sections and have no effect on mail processing.
    The default value for smtpd_recipient_restrictions is
    "permit_mynetworks, reject_unauth_desitination" which is what
    prevents one from being an open relay. A bare "permit" is not allowed here.

    Simplification:
    smtpd_recipient_restrictions is for relay control, and optionally for
    UCE controls.
    All the other smtpd_*_restrictions sections are for UCE controls and
    cannot allow relaying.

    >E.G.:
    >main.cf:
    >smtpd_client_restrictions =
    > check_client_access hash:/etc/postfix/access
    > reject
    >smtpd_recipient_restrictions =
    > reject
    >
    >/etc/postfix/access:
    >10.0.0.1 OK
    >
    >When the client 10.0.0.1 connects to Postfix, is he allowed to relay
    >mail through postfix, because of the OK in the access table, or does
    >this only take effect on smtpd_client_restrictions and the mail will
    >be rejected because of the smtpd_recipient_restrictions?

    In the above example, all mail will be rejected because of the
    smtpd_recipient_restrictions settings. EACH smtpd_*_restrictions
    section is evaluated for EVERY message. Each section must evaluate
    to either "permit", "OK", or DUNNO (or no answer) for mail to be accepted. 

    -- 
Noel Jones
  • Next message: Wietse Venema: "Re: feature request: timeouts in smtpd"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD