Loading ...
Sorry, an error occurred while loading the content.

Comprehension question on smtpd_*_restrictions and access tables

Expand Messages
  • Kai Fürstenberg
    Hello, ... I re-read the SMTPD ACCESS README and I understood this (thanks Michael). But what about the OK -action in access tables? I always heard (and read)
    Message 1 of 3 , Feb 1, 2007
    • 0 Attachment
      Hello,

      I took this from a different thread:

      >> As I understand the documentation, if you set "permit" somewhere in
      >> the restrictions, the mail is accepted. So if you set
      >> smtpd_client_restrictions just to "permit", postfix will accept all
      >>mails, also foreign mail.
      >
      > No, the different smtpd_*_restriction parameters reject based on
      > different pieces of information and a "permit" at any stage just means
      > Postfix allows the client to go on to the next stage.
      >
      > For example, _client_ accepts or rejects based on the client's
      > connection information (IP, hostname, certs, etc.). _sender_ accepts or
      > rejects based on the From: header. _recipients_ accepts or rejects based
      > on the To: header and is what controls whether or not the server acts as
      > an open relay.
      >
      > The restrictions are checked in sequence (client, sender, recipient,
      > in the above example) and a "permit" at each stage just means Postfix
      > allows the client to keep talking to it. E.g. if _client_ is set to
      > permit (which is the default) _sender_ and _recipient_ are still checked.

      I re-read the SMTPD ACCESS README and I understood this (thanks Michael).

      But what about the "OK"-action in access tables? I always heard (and
      read) that, when a restriction receives an OK from an access table, the
      mail is accepted.

      E.G.:
      main.cf:
      smtpd_client_restrictions =
      check_client_access hash:/etc/postfix/access
      reject
      smtpd_recipient_restrictions =
      reject

      /etc/postfix/access:
      10.0.0.1 OK

      When the client 10.0.0.1 connects to Postfix, is he allowed to relay
      mail through postfix, because of the OK in the access table, or does
      this only take effect on smtpd_client_restrictions and the mail will be
      rejected because of the smtpd_recipient_restrictions?

      Kai
    • Noel Jones
      ... The mail skips from that smtpd_*_restrictions section to the next, the sections are always evaluated in the order documented regardless of the order in
      Message 2 of 3 , Feb 1, 2007
      • 0 Attachment
        At 06:58 AM 2/1/2007, Kai Fürstenberg wrote:
        >But what about the "OK"-action in access tables? I always heard (and
        >read) that, when a restriction receives an OK from an access table,
        >the mail is accepted.

        The mail skips from that smtpd_*_restrictions section to the next,
        the sections are always evaluated in the order documented regardless
        of the order in main.cf. Within each section, restrictions are
        evaluated in the order listed. The default empty value for
        smtpd_{client, helo, sender, data, end_of_data}_restrictions is
        morally equivalent to "permit". One can put just "permit" in each of
        these sections and have no effect on mail processing.
        The default value for smtpd_recipient_restrictions is
        "permit_mynetworks, reject_unauth_desitination" which is what
        prevents one from being an open relay. A bare "permit" is not allowed here.

        Simplification:
        smtpd_recipient_restrictions is for relay control, and optionally for
        UCE controls.
        All the other smtpd_*_restrictions sections are for UCE controls and
        cannot allow relaying.

        >E.G.:
        >main.cf:
        >smtpd_client_restrictions =
        > check_client_access hash:/etc/postfix/access
        > reject
        >smtpd_recipient_restrictions =
        > reject
        >
        >/etc/postfix/access:
        >10.0.0.1 OK
        >
        >When the client 10.0.0.1 connects to Postfix, is he allowed to relay
        >mail through postfix, because of the OK in the access table, or does
        >this only take effect on smtpd_client_restrictions and the mail will
        >be rejected because of the smtpd_recipient_restrictions?

        In the above example, all mail will be rejected because of the
        smtpd_recipient_restrictions settings. EACH smtpd_*_restrictions
        section is evaluated for EVERY message. Each section must evaluate
        to either "permit", "OK", or DUNNO (or no answer) for mail to be accepted.

        --
        Noel Jones
      • Kai Fürstenberg
        ... Thanks for the detailed explanation, Noel. It s clear now. Kai
        Message 3 of 3 , Feb 1, 2007
        • 0 Attachment
          Noel Jones schrieb:
          > At 06:58 AM 2/1/2007, Kai Fürstenberg wrote:
          >> But what about the "OK"-action in access tables? I always heard (and
          >> read) that, when a restriction receives an OK from an access table,
          >> the mail is accepted.
          >
          > The mail skips from that smtpd_*_restrictions section to the next, the
          > sections are always evaluated in the order documented regardless of the
          > order in main.cf. Within each section, restrictions are evaluated in
          > the order listed. The default empty value for smtpd_{client, helo,
          > sender, data, end_of_data}_restrictions is morally equivalent to
          > "permit". One can put just "permit" in each of these sections and have
          > no effect on mail processing.
          > The default value for smtpd_recipient_restrictions is
          > "permit_mynetworks, reject_unauth_desitination" which is what prevents
          > one from being an open relay. A bare "permit" is not allowed here.
          >
          > Simplification:
          > smtpd_recipient_restrictions is for relay control, and optionally for
          > UCE controls.
          > All the other smtpd_*_restrictions sections are for UCE controls and
          > cannot allow relaying.
          >
          >> E.G.:
          >> main.cf:
          >> smtpd_client_restrictions =
          >> check_client_access hash:/etc/postfix/access
          >> reject
          >> smtpd_recipient_restrictions =
          >> reject
          >>
          >> /etc/postfix/access:
          >> 10.0.0.1 OK
          >>
          >> When the client 10.0.0.1 connects to Postfix, is he allowed to relay
          >> mail through postfix, because of the OK in the access table, or does
          >> this only take effect on smtpd_client_restrictions and the mail will
          >> be rejected because of the smtpd_recipient_restrictions?
          >
          > In the above example, all mail will be rejected because of the
          > smtpd_recipient_restrictions settings. EACH smtpd_*_restrictions
          > section is evaluated for EVERY message. Each section must evaluate to
          > either "permit", "OK", or DUNNO (or no answer) for mail to be accepted.
          >

          Thanks for the detailed explanation, Noel. It's clear now.

          Kai
        Your message has been successfully submitted and would be delivered to recipients shortly.