spf-discuss
[Top] [All Lists]

smtpd_recipiant/client_restrictions

2004-05-21 10:37:17
Every discussion I've seen about implementing SPF under postfix 2.1 with the policy-spf script has suggesting adding check_policy_service to the smtpd_recipient_restrictions group. When I tried this, there was no indication of policy-spf ever running. When I took a closer look at main.cf, I realized that all of the rules I am applying to incoming emails are being specified under smtpd_client_restrictions. Since adding check_policy_service under this group, it appears that all incoming messages are being parsed correctly.

So I'm wondering... Would this setup cause and kind of security problems? Is there any reason why I *shouldn't* run the check from smtpd_client_restrictions, or is this a valid (alternative) way to implement it? Does anyone have ideas about why I can't get it to work from within smtpd_recipient_restrictions?


For reference, my config is as follows:

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        permit_mx_backup,
        check_client_access hash:/etc/postfix/pop-before-smtp,
        reject_unauth_destination

smtpd_client_restrictions =
        permit_mynetworks,
        check_client_access hash:/etc/postfix/pop-before-smtp,
        check_client_access hash:/etc/postfix/whitelist,
        check_recipient_access hash:/etc/postfix/whitelist_recip,
        reject_rbl_client china.blackholes.us,
        reject_rbl_client korea.blackholes.us,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        hash:/etc/postfix/reject_access_map,
        check_policy_service unix:private/policy