|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: a better permit_mx_backup
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Wed Dec 27 2006 - 15:39:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Dec 27, 2006 at 04:32:10PM -0500, Wietse Venema wrote:
> > # New ${var=value?...} syntax
> > #
> > smtpd_connect_restriciton_classes =
> > ${smtp_delay_reject=no?smtpd_client_restrictions}
> >
> > smtpd_helo_restriciton_classes =
> > ${smtp_delay_reject=no?smtpd_helo_restrictions}
> >
> > smtpd_mail_restriciton_classes =
> > ${smtp_delay_reject=no?smtpd_sender_restrictions}
> >
> > smtpd_rcpt_restriciton_classes =
> > ${smtp_delay_reject=no?smtpd_client_restrictions}
> > ${smtp_delay_reject=no?smtpd_helo_restrictions}
> > ${smtp_delay_reject=no?smtpd_sender_restrictions}
> > ${smtp_delay_reject=no?smtpd_recipient_restrictions}
> > smtpd_recipient_restrictions
> > smtpd_ube_restrictions
>
> Make that "${smtp_delay_reject=yes?....}
Yes, cut/paste problem.
> > smtpd_data_restriction_classes = smtpd_data_restrictions
> >
> > smtpd_dot_restriction_classes = smtpd_end_of_data_restrictions
> >
> > Then:
> >
> > smtpd_recipient_restrictions =
> > permit_mynetworks,
> > permit_sasl_authenticated,
> > permit_auth_destination,
> > # Enable as needed
> > # permit_mx_backup,
> > reject
>
> The "reject" terminates the search before smtpd_ube_restrictions
> is evaluated, just like any "reject" from smtpd_helo_restrictions.
Yes, exactly, only permitted mail goes on to the "ube" restrictions,
which what the OP wants, any why the Ralf H. style of all restrictions
listed in one place under "reject_unauth_destination" prevails, but
it meshes poorly with the permit_backup_mx primitives, and encourages
potentially unsafe whitelisting practices.
The above idea is clearly too late for 2.4, and perhaps indefinitely as a
mature Postfix should perhaps never change this much, but I still think
it would provide a much cleaner restriction framework if there is ever
an opportunity to significantly refine the design in a backward compatible
way without doing something much more radical...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]