Loading ...
Sorry, an error occurred while loading the content.

smtpd_relay_restrictions, non-production version

Expand Messages
  • Wietse Venema
    I ve uploaded a non-production release with smtpd_relay_restrictions support. For a preview of the documentation, see:
    Message 1 of 2 , Sep 30, 2012
    • 0 Attachment
      I've uploaded a non-production release with smtpd_relay_restrictions
      support. For a preview of the documentation, see:

      http://www.porcupine.org/postfix-mirror/SMTPD_ACCESS_README.html
      http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_relay_restrictions
      http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_recipient_restrictions

      This being a critical feature, I have put in multiple safety nets
      to ensure compatibility for sites that upgrade. The text below is
      taken from the RELEASE_NOTES file.

      Once the documentation bugs are fixed, and the safety nets are found
      to work, this should be ready for production use.

      Wietse

      [text from RELEASE_NOTES]

      This version introduces the smtpd_relay_restrictions feature
      for mail relay control. The built-in default value is:

      smtpd_relay_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      reject_unauth_destination

      With Postfix versions before 2.10, the rules for relay permission
      and spam blocking were often intermingled under
      smtpd_recipient_restrictions, resulting in error-prone configuration.

      As of Postfix 2.10, relay permission rules are preferably implemented
      with smtpd_relay_restrictions, so that a permissive spam blocking
      policy under smtpd_recipient_restrictions will no longer result in
      a permissive mail relay policy.

      As usual, this new feature is introduced with safety nets to prevent
      surprises when a site upgrades from an earlier Postfix release.

      1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
      procedure adds an explicit smtpd_relay_restrictions entry to
      main.cf when there is none:

      smtpd_relay_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      permit_auth_destination defer

      If your site has a complex mail relay policy under
      smtpd_recipient_restrictions, this safety net will defer mail
      that the built-in smtpd_relay_restrictions setting would bounce.
      To fix, either set smtpd_relay_restrictions empty, or copy the
      relay authorization policy from smtpd_recipient_restrictions.

      Otherwise, setting smtpd_relay_restrictions by hand to the
      default policy will suffice.

      2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
      Postfix versions before 2.10 can set smtpd_relay_restrictions
      to the empty value, and use smtpd_recipient_restrictions exactly
      as they used it before.
    • Wietse Venema
      ... I have uploaded postfix-2.10-20121001-nonprod. This updates the remainder of the documentation, and adds a new defer_unauth_destination feature, to
      Message 2 of 2 , Oct 1, 2012
      • 0 Attachment
        Wietse Venema:
        > I've uploaded a non-production release with smtpd_relay_restrictions
        > support. For a preview of the documentation, see:
        >
        > http://www.porcupine.org/postfix-mirror/SMTPD_ACCESS_README.html
        > http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_relay_restrictions
        > http://www.porcupine.org/postfix-mirror/postconf.5.html#smtpd_recipient_restrictions
        >
        > This being a critical feature, I have put in multiple safety nets
        > to ensure compatibility for sites that upgrade. The text below is
        > taken from the RELEASE_NOTES file.

        I have uploaded postfix-2.10-20121001-nonprod.

        This updates the remainder of the documentation, and adds a new
        "defer_unauth_destination" feature, to improve the error message
        from the "forward compatibility" safety net.

        Wietse

        [text from RELEASE_NOTES]

        This version introduces the smtpd_relay_restrictions feature
        for mail relay control. The built-in default value is:

        smtpd_relay_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination

        With Postfix versions before 2.10, the rules for relay permission
        and spam blocking were often intermingled under
        smtpd_recipient_restrictions, resulting in error-prone configuration.

        As of Postfix 2.10, relay permission rules are preferably implemented
        with smtpd_relay_restrictions, so that a permissive spam blocking
        policy under smtpd_recipient_restrictions will no longer result in
        a permissive mail relay policy.

        As usual, this new feature is introduced with safety nets to prevent
        surprises when a site upgrades from an earlier Postfix release.

        1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
        procedure adds an explicit smtpd_relay_restrictions entry to
        main.cf when there is none:

        smtpd_relay_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        defer_unauth_destination

        If your site has a complex mail relay policy configured under
        smtpd_recipient_restrictions, this safety net will defer mail
        that the built-in smtpd_relay_restrictions setting would bounce.
        To fix, either set smtpd_relay_restrictions empty, or copy the
        relay authorization policy from smtpd_recipient_restrictions
        to smtpd_relay_restrictions.

        Otherwise, setting smtpd_relay_restrictions by hand to the
        default policy will suffice.

        2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
        Postfix versions before 2.10 can set smtpd_relay_restrictions
        to the empty value, and use smtpd_recipient_restrictions exactly
        as they used it before.
      Your message has been successfully submitted and would be delivered to recipients shortly.