Charles Marcus wrote:

> Ok, googling didn't reveal the answer, meaning I probably didn't find
> the right key words... a clue stick with a simple pointer to the
> appropriate docs is fine.
>
> How are restrictions (and other smtpd options) applied when set in
> main.cf and in master.cf? Does one over-ride the other? Are they
> cumulative? When is it better to set these in master for each port as
> opposed to main, and why?
>
> My goal is:
>
> Port 25:
> - Enforce TLS on all inbound connections
> (we only accept connections from our outsourced anti-spam provider
> remotely - and they support tls - and/or from sasl_auth clients locally)
>
> Port 587:
> - Only allow sasl_auth clients to relay
>
> Currently, in master.cf, I have:
>
> smtp inet n - n - - smtpd
> submission inet n - n - - smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_auth_only=yes
> # -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> and in main.cf I have:
>
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> check_client_access cidr:/etc/postfix/client_no_relay.cidr,
> reject_unauth_destination,
>
> If I want to totally separate these and enforce each set of restrictions
> the way I want, should I set each ports restrictions in master.cf and
> remove these from main.cf?

do both!

master.cf:

submission ....
...
-o smtpd_client_restrictions=$submission_client_restrictions
-o smtpd_helo_restrictions=$submission_helo_restrictions
-o smtpd_sender_restrictions=$submission_sender_restrictions
-o smtpd_recipient_restrictions=$submission_recipient_restrictions

and in main.cf, define each submission_mumble_restrictions.

The advantage is that you can use spaces in main.cf. Note that in either
case, postconf won't show the values.