On 29/05/2024 01:11, Bill Cole via Postfix-users wrote:
On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200)
John Fawcett via Postfix-users <j...@voipsupport.it>
is rumored to have said:
[...]
Hi John
I think you are missing the following in master.cf for the submission
service
-o smtpd_delay_reject=no
Without that the smtpd_client_restrictions will not be evaluated when
the client connects and so you will allow the connected client to try
authentication.
That is not what is happening here. The order of restrictions within
the same restriction list matters, and Postfix is careful about logic.
If you put permit_sasl_authenticated ahead of reject_rbl_client, the
permit must be able to take effect without evaluating the reject
condition. That demands allowing as many AUTH commands as your other
config will allow to fail.
Hi Bill
You're right that the order matters and the reject_rbl_client should be
the first restriction in smtpd_client_restrictions for the submission
service. Actually it is probably the only one that is really needed.
I may be wrong but I don't believe that specifying
permit_sasl_authenticated influences behaviour in allowing AUTH
attempts. I believe it will just evaluate to permitting the access if at
the time of the evaluation the user is authenticated.
John
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org