From: /dev/rob0 (no email)
Date: Fri May 02 2008 - 15:14:39 EDT
On Fri May 2 2008 14:02:09 Charles Marcus wrote:
> On 5/2/2008, Arturo 'Buanzo' Busleiman () wrote:
> > This is my smtpd_recipient_restrictions line:
> >
> > smtpd_recipient_restrictions = reject_non_fqdn_sender,
> > reject_non_fqdn_recipient,reject_unknown_sender_domain,
> > reject_unknown_recipient_domain,reject_unauth_pipelining,
> > permit_mynetworks,
> > reject_unauth_destination,
>
> Move permit_mynetworks to first position, followed by
> reject_unauth_destination, then other checks...
That's not always the right thing to do IMO. Your own users should
still pass all those checks, and if they don't, you can't deliver it
anyway. Might as well tell them NOW as to wait and let them get the
bounce after $maximal_queue_lifetime passes.
Some would rightly argue against the reject_unknown_*_domain checks.
That's a policy matter for me. Sure, if the DNS is down, you might
reject mail to the MUA that ultimately could have been delivered. My
userbase is small enough that I can handle getting phone calls about
this. But indeed, a large service should put those after
reject_unauth_destination.
> Also, remove reject_unauth_pipelining from here, it does nothing -
> consider using it under smtpd_data_restrictions
Yes. It's not real effective, but it sure doesn't hurt.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
|
|
|