Ion-Mihai Tetcu wrote:
[snip]
#cat main.conf
...skipped...
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_pipelining,
this is useless. should be moved to smtpd_data_restrictions.
And put reject_unauth_destination _here_. it is cheap and safe.
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
this is useless and costly. there is no point to check your own domains,
nor should you check other domains in the case of unauthorized relay.
maybe you want reject_unknown_sender_domain? see below for a
reordered/sanitized restrictions list.
permit_sasl_authenticated,
as already said, this is repeated. remove it.
reject_unauth_destination,
permit_auth_destination,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_invalid_hostname,
hash:/usr/local/etc/postfix/access,
^^^^^^^^^^^
This doesn't look good, copy/paste problem ? What are you trying to
achieve here ?
this is deprecated syntax and is equivalent to
check_recipient_access hash:/usr/local/etc/postfix/access
which is probably not what he wants (.../access is generally used for
clients or for senders).
and anyway, his permit_auth_destination ends the restrictions, so
subsequent checks are not even performed (relay is denied by
reject_unauth_destination and non-relay is permitted by
permit_auth_destination. there is no 3d category!).
here is a reordered (and slighlty modified) list of restrictions:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks
reject_unauth_destination
check_client_access pcre:/$path/filter_access
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unknown_sender_domain
....
#reject_rbl_client zen.spamhaus.org
> [snip]
