spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: smtpd_recipiant/client_restrictions

2004-05-22 03:28:33
from [Alex van den Bogaerdt] [Permanent Link] 
On Fri, May 21, 2004 at 11:37:17AM -0600, Jeff Taylor wrote:


So I'm wondering... Would this setup cause and kind of security 
problems?  Is there any reason why I *shouldn't* run the check from 
smtpd_client_restrictions, or is this a valid (alternative) way to 
implement it?  Does anyone have ideas about why I can't get it to work 
from within smtpd_recipient_restrictions?


Sometimes it is difficult to understand what's happening.  To make
it easy to explain, people on the postfix list tell you to put all
of your restrictions in one tree, the smtpd_recipient_restrictions
list.  This way, all restrictions happen in the order you specify.

Is this a MUST?  No.  OTOH _you_ are specifying pop-before-smtp
twice whereas one time would be sufficient.


For reference, my config is as follows:

smtpd_recipient_restrictions =
         permit_sasl_authenticated,
         permit_mynetworks,
         permit_mx_backup,
         check_client_access hash:/etc/postfix/pop-before-smtp,
         reject_unauth_destination


Not SPF related but I think you need to move permit_mx_backup below
reject_unauth_destination.  I am not sure, which is the reason why
I would put it there.

SPF related note: if SPF said "no" then this restriction will not
be reached.  If SPF said "yes" then this restriction _is_ used.

Restrictions are done in the same order as RFC821.  A permit in
smtpd_client_restrictions will stop processing _that_ tree. The
client is accepted.  It will _not_ prevent further trees such as
the smtpd_recipient_restrictions.

The other way around: smtpd_recipient_restrictions can result in
a reject even if smtpd_client_restrictions said the client is OK.


smtpd_client_restrictions =
         permit_mynetworks,
         check_client_access hash:/etc/postfix/pop-before-smtp,
         check_client_access hash:/etc/postfix/whitelist,
         check_recipient_access hash:/etc/postfix/whitelist_recip,
         reject_rbl_client china.blackholes.us,
         reject_rbl_client korea.blackholes.us,
         reject_rbl_client sbl-xbl.spamhaus.org,
         reject_rbl_client list.dsbl.org,
         hash:/etc/postfix/reject_access_map,
         check_policy_service unix:private/policy


implicit allow?  Could be, dunno.

HTH
Alex
-- 
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers.  If
you reply to me off-list, you'd better tell me you're doing so.  If
you don't, and if I reply to the list, that's your problem, not mine.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Logo aka branding aka identity issue, Chris Drake
Next by Date:  Tarpitting and SpamCannibal (was Re: Brainstorming RFROM variants), Tim Meadowcroft
Previous by Thread:  Re: smtpd_recipiant/client_restrictions, Jeff Taylor
Next by Thread:  Re: smtpd_recipiant/client_restrictions, lst_hoe01
Indexes:  [Date] [Thread] [Top] [All Lists]