Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Difference between smtpd_client_restrictions and smtd_recipient_resrictions

3,341 views
Skip to first unread message

gaby

unread,
Jul 22, 2011, 2:04:37 PM7/22/11
to
Hi
  I don't undestand what is difference between smtpd_client_restrictions and smtpd_recipient_restrictions?
 
Thanks

Reindl Harald

unread,
Jul 22, 2011, 2:16:00 PM7/22/11
to

Am 22.07.2011 20:04, schrieb gaby:

> I don't undestand what is difference between smtpd_client_restrictions
> and smtpd_recipient_restrictions?

the time when they are processed

for reject because of "smtpd_client_restriction" you need not to
wait for RCPT TO, but you should be advised to do this and
put all restrictions in "smtpd_recipient_restrictions" as long
you have no real good reason to do not so

analyze logfiles is boring without full sender / rcpt

signature.asc

Victor Duchovni

unread,
Jul 22, 2011, 2:23:16 PM7/22/11
to
On Fri, Jul 22, 2011 at 09:04:37PM +0300, gaby wrote:

> I don't undestand what is difference between smtpd_client_restrictions and smtpd_recipient_restrictions?

Postfix has 6 top-level restriction lists:

smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_data_restrictions
smtpd_end_of_data_restrictions

They are almost identical.

- A message is rejected if any restriction list rejects the message,
otherwise it is accepted .

- By default the first 4 lists are applied serially for each
"RCPT TO" command.

- The "data" restrictions are applied at the "DATA" command, and
don't have access to the recipient address when the message has
more than 1 recipient.

- The "end_of_data" restrictions are applied at ".", and can provide
the actual message size to a policy service.

- To thwart most accidental open-relay configurations,
The recipient restrictions MUST contain an element that
rejects by default, that is one of:

reject_unauth_destination, reject, defer

this is not required for the other lists.

Otherwise you get four or so ways to filter the message envelope. Many
sites just use the recipient restrictions and leave all the rest empty.

Because an "OK" result from any restriction element terminates a given
restriction list, but still continues to the next list, in some
configurations, you get more expressive rules by using more than
one list.

--
Viktor.

em...@apartmentsapart.com

unread,
May 31, 2013, 8:26:40 AM5/31/13
to
Hi,

I have a problem with securing the server for one use case.
I have a mail server with virtual domain configured example.com

When send the message to my own domain name by my own server it goes through without authentication.
Example

telnet mail.example.com 25
ehlo mail.example.com
mail from:te...@example.com
rcpt to:te...@example.com
data
test
.

It goes through without any authentication. I am getting a lot of spam sent by my own server to myself. How should I configure
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions

My current configuration (which is wrong) is:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org

Could you please advice?
Thank you
EM
0 new messages