Charles Marcus a écrit : > On 2/13/2009, Ralf Hildebrandt (ralf.hildebra...@charite.de) wrote: >>> I'm thinking it would be better to move the check_client_access check to >>> smtpd_client_restrictions, and the check_sender_access check to >>> smtpd_sender_restrictions, so I'd then have: > >> No, don't do it. > > Ok... I do appreciate the response, but I'd be more comfortable with a > bit more of an explanation as to why... >
it brings you nothing, and you need to repeat whitelisting checks (permit_*). you can do this smtpd_sender_restrictions = check_recipient_access hash:/etc/postfix/moved-employees, smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, ## only allow outsourced anti-spam service to send us email check_client_access cidr:/etc/postfix/allowed_clients.cidr, ## custom rejects for x-employees check_recipient_access hash:/etc/postfix/x-employees, ## block certain senders from sending us mail check_sender_access hash:/etc/postfix/blocked_senders my rule of thumb is: - put anti-spam checks under smtpd restrictions - put other access control under other restrictions. This includes your moved-employees, local_only, login-sender mismatch, ... etc. when I say "anti-spam", I mean spam from spammers. not spam from your users.
