Charles Marcus a écrit : > On 2/13/2009 4:23 PM, mouss wrote: >>>> smtpd_sender_restrictions = >>>> check_recipient_access hash:/etc/postfix/moved-employees, > >>> Ah! I never even considered I could put check_recipient_access under >>> smtpd_sender_restrictions... but if I can put check_client_access under >>> smtpd_recipient_restrictions, why not? :) >>> >>> Just to clarify: doing the above keeps me from becoming an open relay if >>> I typo something in the map, while keeping it under >>> smtpd_recipient_restrictions leaves me vulnerable to such an error, is >>> that correct? > >> that's the idea. you may decide to replace the hash with a mysql or a >> pcre that returns OK for any domain. >> >> As I said before, this is not a check to fight spammers, but a check you >> want to apply to all mail. > > Right... > > One more question... in the above example, you did NOT add redundant > permit_mynetworks and permit_sasl_authenticated entries above the > check_recipient_access under smtpd_sender_restrictions... is this not > necessary? If not, why? Or, when *is* it necessary to add the redundant > entries? >
because in your original post, the check in question was before permit_*, so doesn't need a permit_* when moved. and you don't need a permit_* at the end of restrictions, since the default is "permit". but if you had smtpd_recipient_restrictions = permit_mynetworks check_foo_access $map and you move the check, then you need to duplicate the permit_mynetworks too: smtpd_sender_restrictions = permit_mynetworks check_foo_access $map if you don't duplicate permit_mynetworks, then the check would be executed even if the client is in mynetworks. all checks in a smtpd_mumble_restrictions are executed, until a "final" action (typically permit or reject) is encountered. said otherwise, postfix will run smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions in that order. and inside each, - if it encounters an OK, it will move to the next check - if it finds a reject, it will reject the transaction. by default, the action is a permit. this is why smtpd_client_restrictions = permit_mynetworks is useless, since the default is permit anyway (and saying "allow mynetworks and allow anybody" has the same result as "allow anybody"). > Sorry for being so dense, just want to make sure I understand this > correctly... > > 'it ain't what you don't know that gets you in trouble, it whats you > know for sure that just aint so' >