Re: smtpd_recipient_restrictions only Vs. separate *_restrictions clauses

From: mouss (no email)
Date: Mon Apr 23 2007 - 12:26:04 EDT

  • Next message: mouss: "Re: This is not working"

    Mark Watts wrote:
    > Is there any material difference between lumping all my restrictions into
    > smtpd_recipient_restrictions, and splitting them out into separate clauses.
    >
    > Eg:
    >
    > smtpd_recipient_restrictions =
    > permit_mynetworks,
    > reject_unknown_recipient_domain,
    > reject_unauth_destination,
    > reject_rbl_client sbl.spamhaus.org,
    > reject_rbl_client dnsbl.sorbs.net,
    > reject_unknown_sender_domain,
    > reject_invalid_hostname,
    > reject_non_fqdn_sender,
    > reject_non_fqdn_hostname,
    > reject_non_fqdn_recipient,
    > permit
    >
    > Against:
    >
    > smtpd_data_restrictions =
    > reject_unauth_pipelining,
    > permit
    >
    > smtpd_helo_restrictions =
    > reject_invalid_hostname,
    > reject_non_fqdn_hostname,
    > permit
    >
    > smtpd_client_restrictions =
    > permit_mynetworks,
    > reject_rbl_client sbl.spamhaus.org,
    > reject_rbl_client dnsbl.sorbs.net,
    > permit
    >
    > smtpd_sender_restrictions =
    > reject_non_fqdn_sender,
    > reject_unknown_sender_domain,
    > permit
    >
    > smtpd_recipient_restrictions =
    > reject_unauth_destination,
    > permit
    >
    >

    You are not comparing the same configs. The "exploded" version is
    equivalent to

    smtpd_recipient_restrictions =
         reject_non_fqdn_sender
         reject_unknown_sender_domain
         reject_unauth_destination
         permit_mynetworks
         reject_rbl_client sbl.spamhaus.org
         reject_rbl_client dnsbl.sorbs.net,

    smtpd_data_restrictions =
        reject_unauth_pipelining

    as you see this is not the same as your "unexploded" version. In
    particular, nobody can relay (even mynetworks).
    In short, permit in smtpd_[client|helo|sender]_restrictions only tells
    postfix to go to the "next" restrictions. so the permit_mynetworks in
    your smtpd_client_restrictions will skip the rbl checks, nothing else.

    If this is not clear, I suggest you stick with the "unexploded" version,
    as it is linear and easier to understand/follow.


  • Next message: mouss: "Re: This is not working"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD