From: mouss (no email)
Date: Mon Apr 23 2007 - 12:26:04 EDT
Mark Watts wrote:
> Is there any material difference between lumping all my restrictions into
> smtpd_recipient_restrictions, and splitting them out into separate clauses.
>
> Eg:
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_unknown_recipient_domain,
> reject_unauth_destination,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client dnsbl.sorbs.net,
> reject_unknown_sender_domain,
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_hostname,
> reject_non_fqdn_recipient,
> permit
>
> Against:
>
> smtpd_data_restrictions =
> reject_unauth_pipelining,
> permit
>
> smtpd_helo_restrictions =
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> permit
>
> smtpd_client_restrictions =
> permit_mynetworks,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client dnsbl.sorbs.net,
> permit
>
> smtpd_sender_restrictions =
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> permit
>
> smtpd_recipient_restrictions =
> reject_unauth_destination,
> permit
>
>
You are not comparing the same configs. The "exploded" version is
equivalent to
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unauth_destination
permit_mynetworks
reject_rbl_client sbl.spamhaus.org
reject_rbl_client dnsbl.sorbs.net,
smtpd_data_restrictions =
reject_unauth_pipelining
as you see this is not the same as your "unexploded" version. In
particular, nobody can relay (even mynetworks).
In short, permit in smtpd_[client|helo|sender]_restrictions only tells
postfix to go to the "next" restrictions. so the permit_mynetworks in
your smtpd_client_restrictions will skip the rbl checks, nothing else.
If this is not clear, I suggest you stick with the "unexploded" version,
as it is linear and easier to understand/follow.
|
|
|