On Sat, Apr 30, 2022 at 01:11:05AM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote: > > > > .domain.tld > > > > > > Matches subdomains of domain.tld, but only when the > > > string smtpd_access_maps is not listed in the Postfix > > > parent_domain_matches_subdomains configuration setting. > > > > The .domain.tld notation only covers a single level of > > subdomain, > > This is false. With non-regexp access(5) tables, each level of the > domain hierarchy is tried in turn, all the way up to the TLD. Thanks for the correction. Multiple lookups is much easier than what I thought was needed. That's not at all how I interpreted access(5). When describing lookup order, it mentions domain.tld matching subdomains (when smtpd_access_maps is in parent_domain_matches_subdomains), but I've always understood the term "subdomains" (in other contexts) to only refer to a single level. Multiple lookups is documented visually in the case of network addresses (in HOST NAME/ADDRESS PATTERNS), where it says: net.work.addr.ess net.work.addr net.work net net:work:addr:ess net:work:addr net:work net Perhaps the domain version could be expanded from: domain.tld to: sub.domain.tld domain.tld tld That would make it clear that there are multiple lookups happening on domain names at all levels. Although it would have to somehow be made clear that those multiple lookups don't apply to regexp-based access tables. It's tricky to express all that. Although the existing description in "REGULAR EXPRESSION TABLES" would probably cover it, as it says "Thus, no parent domain or parent network search is done...". Currently, I think that sentence is the only indication that there are multiple domain lookups in non-regexp access tables. That fact could be made more prominent. > If "parent_domain_matches_subdomains" includes "smtpd_access_maps", > then the parent domain keys are "dotless", otherwise all parent > domain lookup keys start with a leading ".". Ah yes, and access(5) says .domain.tld only matches subdomains when smtpd_access_maps is not in parent_domain_matches_subdomains, but it is there by default, so ".domain.tld" wouldn't work at all. It needs to be "domain.tld". So, the rbl_override file only needs: siriusxm.com OK or maybe: e.siriusxm.com OK If all the good mail to be accepted only comes from that subdomain. > -- > Viktor. cheers, raf