Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: smtpd_sender_restrictions & smtpd_client_restrictions

0 views
Skip to first unread message

Ralf Hildebrandt

unread,
Oct 21, 2004, 5:25:55 AM10/21/04
to
* Paul Puschmann <l...@uzulabs.net>:

> what are smtpd_sender_restrictions & smtpd_client_restrictions used for?

To restrict mail traffic

> I had some problems with outgoing mails (that hang in the queue) and
> noticed that I had some values in these options.

Because you put them there.

> smtpd_sender_restrictions =
> hash:/etc/postfix/access, reject_unknown_recipient_domain
>
> smtpd_client_restrictions =
>
> But /etc/postfix/access is empty and the other entry makes no sense to
> me. What are your recommendations for these settings?

Don't add settings you don't understand

--
Ralf Hildebrandt Ralf.Hil...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
| <- You must be smarter than this stick to ride the Internet

Paul Puschmann

unread,
Oct 21, 2004, 5:46:54 AM10/21/04
to
Ralf Hildebrandt wrote:
> * Paul Puschmann <l...@uzulabs.net>:

>>smtpd_sender_restrictions =
>>hash:/etc/postfix/access, reject_unknown_recipient_domain
>>
>>smtpd_client_restrictions =
>>
>>But /etc/postfix/access is empty and the other entry makes no sense to
>>me. What are your recommendations for these settings?
>
> Don't add settings you don't understand
>
That's the reason for my question. ;)

Just give me a hint. Because I don't get clear with the documentation.

Is this option only used for sending from internal to external?

so if I enter in "access" for smtpd_sender_restrictions

10.20.1.1 OK
10.30.1 OK

only these hosts/networks are permitted to send mails (to outside). Right ?

Is there any effect on my amavis?

Paul

Magnus Bäck

unread,
Oct 21, 2004, 5:49:47 AM10/21/04
to
On Thursday, October 21, 2004 at 11:23 CEST,
Paul Puschmann <l...@uzulabs.net> wrote:

> what are smtpd_sender_restrictions & smtpd_client_restrictions used for=
?

The first one contains restrictions that are applied after the MAIL FROM
command, and the second contains restrictions that are applied when the
client connects. If smtpd_delay_reject is yes (which is the default),
all actions will be deferred until after RCPT TO.

> I had some problems with outgoing mails (that hang in the queue) and=20


> noticed that I had some values in these options.

You logs will tell you what the message is doing in the queue.

> smtpd_sender_restrictions =3D
> hash:/etc/postfix/access, reject_unknown_recipient_domain
>=20
> smtpd_client_restrictions =3D
>=20
> But /etc/postfix/access is empty and the other entry makes no sense to=20


> me. What are your recommendations for these settings?

That depends on your needs.

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Ralf Hildebrandt

unread,
Oct 21, 2004, 5:51:11 AM10/21/04
to
* Paul Puschmann <l...@uzulabs.net>:

> Just give me a hint. Because I don't get clear with the documentation.

I use this:
http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_mailhub.shtml
There are some explanations

> Is this option only used for sending from internal to external?

No.



> so if I enter in "access" for smtpd_sender_restrictions
>
> 10.20.1.1 OK
> 10.30.1 OK

It's rather bad style to use:
smtpd_sender_restrictions = hash:/etc/postfix/access
rather use:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access
which means the same, but doesn't use the implicit meaning.

Also, 10.20.1.1 and 10.30.1 are IPs/networks and should go into
check_client_access. They are most likely no sender addresses or parts
thereof.

--
Ralf Hildebrandt Ralf.Hil...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155

Why you can't find your system administrators:
(S)he's off running round the building trying to find who has addopted the servers IP address.

Magnus Bäck

unread,
Oct 21, 2004, 5:52:34 AM10/21/04
to
On Thursday, October 21, 2004 at 11:46 CEST,
Paul Puschmann <l...@uzulabs.net> wrote:

> Ralf Hildebrandt wrote:
>
> > Don't add settings you don't understand
>
> That's the reason for my question. ;)

>=20


> Just give me a hint. Because I don't get clear with the documentation.

>=20


> Is this option only used for sending from internal to external?

No. See my previous reply.

> so if I enter in "access" for smtpd_sender_restrictions

>=20
> 10.20.1.1 OK
> 10.30.1 OK
>=20
> only these hosts/networks are permitted to send mails (to outside). Rig=
ht ?

No, but these hosts will be exempted from further restrictions listed in
smtpd_sender_restrictions. To control which hosts have relay access, use
mynetworks.

> Is there any effect on my amavis?

Not in this case, depending on what you mean.

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Magnus Bäck

unread,
Oct 21, 2004, 5:54:52 AM10/21/04
to
On Thursday, October 21, 2004 at 11:52 CEST,
Magnus B=E4ck <mag...@dsek.lth.se> wrote:

> On Thursday, October 21, 2004 at 11:46 CEST,
> Paul Puschmann <l...@uzulabs.net> wrote:

[...]

> > so if I enter in "access" for smtpd_sender_restrictions
> >=20
> > 10.20.1.1 OK
> > 10.30.1 OK
> >=20
> > only these hosts/networks are permitted to send mails (to outside).

> > Right ?
>=20
> No, but these hosts will be exempted from further restrictions listed i=
n
> smtpd_sender_restrictions.

Indeed, if the access map was used in a check_client_access restriction.
This is not the case here. Listing network addresses in a
check_sender_access restriction lookup table doesn't make sense.

[...]

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Paul Puschmann

unread,
Oct 21, 2004, 5:55:44 AM10/21/04
to
Magnus B=E4ck wrote:
> On Thursday, October 21, 2004 at 11:23 CEST,
> Paul Puschmann <l...@uzulabs.net> wrote:
>=20

>>I had some problems with outgoing mails (that hang in the queue) and=20
>>noticed that I had some values in these options.
>=20
>=20

> You logs will tell you what the message is doing in the queue.
>=20
>=20

>>smtpd_sender_restrictions =3D
>>hash:/etc/postfix/access, reject_unknown_recipient_domain
>>
>>smtpd_client_restrictions =3D

>>
>>But /etc/postfix/access is empty and the other entry makes no sense to=20
>>me. What are your recommendations for these settings?
>=20

> That depends on your needs.
>=20
This machine is a mailrelay.
If I let these two options empty
(or set only smtpd_sender_restrictions =3D reject_unknown_sender_domain)
do I have a security / relay problem ?

Kind regards,

Paul


Magnus Bäck

unread,
Oct 21, 2004, 5:57:59 AM10/21/04
to
On Thursday, October 21, 2004 at 11:55 CEST,
Paul Puschmann <l...@uzulabs.net> wrote:

> This machine is a mailrelay.
> If I let these two options empty

> (or set only smtpd_sender_restrictions =3D reject_unknown_sender_domai=


n)
> do I have a security / relay problem ?

No. Relay control takes place in smtpd_recipient_restrictions. Postfix'
default settings are fine with regards to relay control (as long as
mynetworks isn't too permissive).

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Paul Puschmann

unread,
Oct 21, 2004, 6:22:27 AM10/21/04
to
Magnus B=E4ck wrote:
> On Thursday, October 21, 2004 at 11:55 CEST,
> Paul Puschmann <l...@uzulabs.net> wrote:
>=20
>=20

>>This machine is a mailrelay.
>>If I let these two options empty
>>(or set only smtpd_sender_restrictions =3D reject_unknown_sender_domai=
n)
>>do I have a security / relay problem ?
>=20
>=20

> No. Relay control takes place in smtpd_recipient_restrictions. Postfix'
> default settings are fine with regards to relay control (as long as
> mynetworks isn't too permissive).
>=20
Okay.

Thank you for your help.

0 new messages