Every discussion I've seen about implementing SPF under postfix 2.1 with
the policy-spf script has suggesting adding check_policy_service to the
smtpd_recipient_restrictions group. When I tried this, there was no
indication of policy-spf ever running. When I took a closer look at
main.cf, I realized that all of the rules I am applying to incoming
emails are being specified under smtpd_client_restrictions. Since
adding check_policy_service under this group, it appears that all
incoming messages are being parsed correctly.
So I'm wondering... Would this setup cause and kind of security
problems? Is there any reason why I *shouldn't* run the check from
smtpd_client_restrictions, or is this a valid (alternative) way to
implement it? Does anyone have ideas about why I can't get it to work
from within smtpd_recipient_restrictions?
For reference, my config is as follows:
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
permit_mx_backup,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination
smtpd_client_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/pop-before-smtp,
check_client_access hash:/etc/postfix/whitelist,
check_recipient_access hash:/etc/postfix/whitelist_recip,
reject_rbl_client china.blackholes.us,
reject_rbl_client korea.blackholes.us,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
hash:/etc/postfix/reject_access_map,
check_policy_service unix:private/policy