NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-02

Re: 2.2.8 + amavisd + postgrey

From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Mon Feb 06 2006 - 11:06:05 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 06, 2006 at 05:53:48PM +0100, Ralf Hildebrandt wrote:

> * Bill Bradford <mrbillmrbill.net>:
>
> > I'm not trying to be snarky here; I'm just trying to understand where
> > things should properly go.
>
> The easiest way is to put them all into smtpd_recipient_restrictions
> in the order you want.
>

But, with permit_mx_backup this is rather non-trivial, because this
is the negation of the restriction one really wants:

- Old style: check_relay_domains or permit_auth_destination

        This is a "final" relay rights check, and fundamentally aAll
        UCE checks go into smtpd_client_restrictions, ...
        that recipient restrictions is about relay control only!

- New style: reject_unauth_destination

        This filters out unauthorized relaying and allows relay authorized
        mail to be subjected to further scrutiny. This makes the "put
        everything in one place" approach possible.

- Missing: reject_non_mx_backup

            This would allow rejection of unauthorized relaying with support
        for unlisted (in relay_domains) backup-mx destinations. It would
        then support the kitchen sink approach to recipient restrictions.

If the OP needs permit_mx_backup, he MUST NOT use the kitchen sink approach.
Better yet, the OP should not use permit_mx_backup.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]