On Tue, Nov 19, 2019 at 08:21:07AM +0000, Nick wrote:
> > Because Postfix evaluates smtpd_relay_restrictions *after* it checks
> > smtpd_recipient_restrictions.
>
> postconf(5) says the opposite.
>
> smtpd_recipient_restrictions (default: see postconf -d output)
> Optional restrictions that the Postfix SMTP server applies in the
> context of a client RCPT TO command, after smtpd_relay_restrictions.
>
> smtpd_relay_restrictions (default: permit_mynetworks,
> permit_sasl_authenticated, defer_unauth_destination)
> Access restrictions for mail relay control that the Postfix SMTP
> server applies in the context of the RCPT TO command, before
> smtpd_recipient_restrictions.
Sadly, the implementation changed without a documentation update. Perhaps
there were competing interests dependent on the evaluation order, and issuing
better backwards compatibility warnings prevailed? I agree that the documented
order seems more optimal otherwise.
Date: Sat Jan 6 00:00:00 2018 -0500
postfix-3.3-20180106
diff --git a/postfix/src/smtpd/smtpd_check.c
b/postfix/src/smtpd/smtpd_check.c
index e1615223..94e8c018 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -4958,15 +4962,31 @@ char *smtpd_check_rcpt(SMTPD_STATE *state, char
*recipient)
* Apply restrictions in the order as specified. We allow relay
* restrictions to be empty, for sites that require backwards
* compatibility.
+ *
+ * If compatibility_level < 1 and smtpd_relay_restrictions is left at
its
+ * default value, find out if the new smtpd_relay_restrictions default
+ * value would block the request, without logging REJECT messages.
+ * Approach: evaluate fake relay restrictions (permit_mynetworks,
+ * permit_sasl_authenticated, permit_auth_destination) and log a
warning
+ * if the result is DUNNO instead of OK, i.e. a
reject_unauth_destinatin
+ * at the end would have blocked the request.
*/
SMTPD_CHECK_RESET();
- restrctions[0] = relay_restrctions;
- restrctions[1] = rcpt_restrctions;
+ restrctions[0] = rcpt_restrctions;
+ restrctions[1] = warn_compat_break_relay_restrictions ?
+ fake_relay_restrctions : relay_restrctions;
for (n = 0; n < 2; n++) {
status = setjmp(smtpd_check_buf);
if (status == 0 && restrctions[n]->argc)
status = generic_checks(state, restrctions[n],
recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL);
+ if (n == 1 && warn_compat_break_relay_restrictions
+ && status == SMTPD_CHECK_DUNNO) {
+ msg_info("using backwards-compatible default setting \""
+ VAR_RELAY_CHECKS " = (empty)\" to avoid \"Relay "
+ "access denied\" error for recipient \"%s\" from "
+ "client \"%s\"", state->recipient, state->namaddr);
+ }
if (status == SMTPD_CHECK_REJECT)
break;
}
> If possible, when my server receives an unwanted relay attempt I would
> prefer it did not make pointless queries to third parties. Can that
> be accomplished?
You can add "reject_unauth_destination" (possibly preceded by
permit_mynetworks) also near the top of the recipient restrictions.
--
Viktor.
