|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: a better permit_mx_backup
From: Wietse Venema (wietse
porcupine.org)
Date: Wed Dec 27 2006 - 15:32:10 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Victor Duchovni:
> On Wed, Dec 27, 2006 at 04:03:07PM -0500, Wietse Venema wrote:
>
> > > reject_non_mx_backup - REJECT if the local MTA is not backup
> > > MX for the recipient domain,
> > > DEFER_IF_PERMIT if DNS lookup fails
> > > DUNNO otherwise
> >
> > So you would use it in combination to permit final destinations:
> >
> > permit_auth_destination reject_non_mx_backup
> >
> > reject_non_mx_backup_and_unauth_destination seems a little heavy to me.
> >
>
> But users mostly want the second form, because they want to reject the
> obvious stuff first (relay attempts, ...) and *then* apply UCE controls.
>
> If we had configurable top-level restriction classes, there could be
> one that runs *after* "smtpd_recipient_restrictions" (really anti-relay),
> and the anti-UBE stuff would go there... (Same old hypothetical, but
> I still think it could be a win).
>
> # New ${var=value?...} syntax
> #
> smtpd_connect_restriciton_classes =
> ${smtp_delay_reject=no?smtpd_client_restrictions}
>
> smtpd_helo_restriciton_classes =
> ${smtp_delay_reject=no?smtpd_helo_restrictions}
>
> smtpd_mail_restriciton_classes =
> ${smtp_delay_reject=no?smtpd_sender_restrictions}
>
> smtpd_rcpt_restriciton_classes =
> ${smtp_delay_reject=no?smtpd_client_restrictions}
> ${smtp_delay_reject=no?smtpd_helo_restrictions}
> ${smtp_delay_reject=no?smtpd_sender_restrictions}
> ${smtp_delay_reject=no?smtpd_recipient_restrictions}
> smtpd_recipient_restrictions
> smtpd_ube_restrictions
Make that "${smtp_delay_reject=yes?....}
> smtpd_data_restriction_classes = smtpd_data_restrictions
>
> smtpd_dot_restriction_classes = smtpd_end_of_data_restrictions
>
> Then:
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> permit_auth_destination,
> # Enable as needed
> # permit_mx_backup,
> reject
The "reject" terminates the search before smtpd_ube_restrictions
is evaluated, just like any "reject" from smtpd_helo_restrictions.
Wietse
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]