Kai Fürstenberg wrote:
> Noel Jones schrieb:
>> At 11:53 PM 1/30/2007, Kai Fürstenberg wrote:
>>> I think the problem is the order of the restrictions:
>>> The first is smtpd_client_restrictions. You have set a permit there.
>>> If the client is not rejected in /etc/postfix/access, he will be able
>>> to relay mail and it doesn't matter what you configurered later, just
>>> because of the "permit". The second is smtpd_helo_restrictions, but
>>> you haven't set. Third is smtpd_sender_restriction. You have another
>>> permit here. And last is smtpd_recipient_restrictions. Here you have
>>> reject_unauth_destination which is never reached, because of the
>>> several permits before.
>> Ignore this incorrect advice.
> Please explain.
> As I understand the documentation, if you set "permit" somewhere in the
> restrictions, the mail is accepted. So if you set
> smtpd_client_restrictions just to "permit", postfix will accept all
> mails, also foreign mail.
No, the different smtpd_*_restriction parameters reject based on
different pieces of information and a "permit" at any stage just means
Postfix allows the client to go on to the next stage.
For example, _client_ accepts or rejects based on the client's
connection information (IP, hostname, certs, etc.). _sender_ accepts or
rejects based on the From: header. _recipients_ accepts or rejects based
on the To: header and is what controls whether or not the server acts as
an open relay.
The restrictions are checked in sequence (client, sender, recipient, in
the above example) and a "permit" at each stage just means Postfix
allows the client to keep talking to it. E.g. if _client_ is set to
permit (which is the default) _sender_ and _recipient_ are still checked.