I would like to confirm my understanding about access files. Please let me know if any of this is not correct...
The man (5) access description describes a prototype file, where that file could be a single file describing any host names, network addresses, envelope senders or recipient addresses. The file could also be a set of files all following the same format rules. Where such files might be recipient_checks, helo_checks, sender_checks, client_checks, etc. The usefulness of the content of an access file is dependent upon the parameter that selects a routine that reads the file. If check_client_access causes a read of the file it will only be looking for IP addresses of a client server that sent the email or a fully qualified domain name that successfully reverse maps to the IP address of a client server that sent the email. If check_sender_access causes a read of the file it will only be looking for an email SMTP "MAIL FROM" address or a pattern which could be a part that email address to the left of the "@" sign. If check_helo_access causes a read of the file it will only be looking for the HELO or EHLO hostname or any valid parent domain of that hostname that is in the SMTP HELO. The routines executed vi the parameters such as check_client_access, check_sender_access, check_helo_access, etc. return the value the check to the routine that called for the check where the calling routine would be instigated by any of these parameters: smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions It is possible to have all the lookups done on a single .../postfix/access.db file but that could mean the file gets confusing so in practice multiple access files with names like client_access, helo_access, sender_access, etc. A single parameter such as check_client_access may be called multiple times in a situation like this: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks However if the above causes a pattern to be found more than once then only the last pattern match is used. (I think that is what "When the same parameter is defined multiple times, only the last instance is remembered." means.) This is how I am putting this in practice on a new virtual server where I hope to fix some problems on current production servers: r...@mg0x:/etc/postfix# postconf -d mail_version mail_version = 2.5.5 I am using 2.5.5 because that is the latest from Ubuntu. r...@mg0x:/etc/postfix# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = yes biff = no bounce_size_limit = 1 config_directory = /etc/postfix default_process_limit = 400 header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all mailbox_size_limit = 0 masquerade_domains = $mydomain, cnm.edu, nmvc.org, nmvirtualcollege.org max_use = 100 message_size_limit = 16777216 mydestination = $myhostname, $mydomain, localhost.localdomain, cnm.edu, mail.cnm.edu, mg0x.cnm.edu, mg04.cnm.edu, mg05.cnm.edu, nmvc.org, mail.nmvc.org, mg0x.nmvc.org, mg04.nmvc.org, mg05.nmvc.org, mg06.nmvc, nmvirtualcollege.org, mail.nmvirtualcollege.org, mg0x.nmvirtualcollege.org, mg04.nmvirtualcollege.org, mg05.nmvirtualcollege.org, mg04.nmvirtualcollege.org, nmln.net, ideal-nm.org, ideal-nm.net, idealnm.org, idealnm.net myhostname = mg0x.cnm.edu mynetworks = 198.133.182.0/24, 198.133.181.0/24, 198.133.180.0/24, 172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname notify_classes = resource, software readme_directory = no recipient_delimiter = + relay_domains = $mydestination relayhost = smtp_host_lookup = dns, native smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = cnm.edu smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/access reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.njabl.org permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/overquota reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unlisted_recipient permit_mynetworks reject_unauth_destination reject_unauth_pipeliningreject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_rbl_client zen.spamhaus.org smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/greylist check_sender_access hash:/etc/postfix/sender_access permit_mynetworks reject_unknown_sender_domain smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtualaliases -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106