Charles Marcus a écrit :
> On 2/13/2009 4:23 PM, mouss wrote:
>>>> smtpd_sender_restrictions =
>>>> check_recipient_access hash:/etc/postfix/moved-employees,
>
>>> Ah! I never even considered I could put check_recipient_access under
>>> smtpd_sender_restrictions... but if I can put check_client_access under
>>> smtpd_recipient_restrictions, why not? :)
>>>
>>> Just to clarify: doing the above keeps me from becoming an open relay if
>>> I typo something in the map, while keeping it under
>>> smtpd_recipient_restrictions leaves me vulnerable to such an error, is
>>> that correct?
>
>> that's the idea. you may decide to replace the hash with a mysql or a
>> pcre that returns OK for any domain.
>>
>> As I said before, this is not a check to fight spammers, but a check you
>> want to apply to all mail.
>
> Right...
>
> One more question... in the above example, you did NOT add redundant
> permit_mynetworks and permit_sasl_authenticated entries above the
> check_recipient_access under smtpd_sender_restrictions... is this not
> necessary? If not, why? Or, when *is* it necessary to add the redundant
> entries?
>
because in your original post, the check in question was before
permit_*, so doesn't need a permit_* when moved.
and you don't need a permit_* at the end of restrictions, since the
default is "permit".
but if you had
smtpd_recipient_restrictions =
permit_mynetworks
check_foo_access $map
and you move the check, then you need to duplicate the permit_mynetworks
too:
smtpd_sender_restrictions =
permit_mynetworks
check_foo_access $map
if you don't duplicate permit_mynetworks, then the check would be
executed even if the client is in mynetworks.
all checks in a smtpd_mumble_restrictions are executed, until a "final"
action (typically permit or reject) is encountered.
said otherwise, postfix will run
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
in that order. and inside each,
- if it encounters an OK, it will move to the next check
- if it finds a reject, it will reject the transaction.
by default, the action is a permit. this is why
smtpd_client_restrictions =
permit_mynetworks
is useless, since the default is permit anyway (and saying "allow
mynetworks and allow anybody" has the same result as "allow anybody").
> Sorry for being so dense, just want to make sure I understand this
> correctly...
>
> 'it ain't what you don't know that gets you in trouble, it whats you
> know for sure that just aint so'
>
