smtpd_sender_restrictions vs smtpd_recipient_restrictions vs smtpd_client_restriction

[Angelito]

I want to reject mail from spam sources aimed to my domains (local delivery) specified in:

Code:

virtual_mailbox_domains = example2.com, example3.net

All mail with a destination to example2.com and example3.net is delivered locally.

If any of the users in example2.com and/or example3.net want to use Postfix to relay mail (eg: to hotmail or yahoo mail)will have to authenticate first (SASL), if authentication is successful they are granted permission to relay mail.

Now, as I said first I want to reject mail aimed to example2.com and/or example3.net from spam sources.(I know there could be other methods, but this thread is about smtpd_sender_restrictions vs smtpd_recipient_restrictions vs smtpd_client_restriction).

I seen some settings that indicate setting smtpd_recipient_restrictions to block spam sources (http://www.howtoforge.com/block_spam..._level_postfix):

Code:

smtpd_recipient_restrictions =
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit

But for my goal, shouldn't I use smtpd_sender_restrictions(http://www.postfix.org/postconf.5.ht...r_restrictions) or smtpd_client_restriction(http://www.postfix.org/postconf.5.ht...t_restrictions)?

smtpd_sender_restrictions, as stated in Postfix website, filters mails based on the MAIL FROM command; This command is easy faked by telneting an open relay and typing in this command, therefore mail cound be sent with a valid MAIL FROM address, for this reason smtpd_sender_restrictions does not seem to be my solution.

The only option left in my hypothesis is to use smtpd_client_restrictions, which for my understanding checks the hostname or IP address of the smtpd client (the other MTA/SMTP connecting to my local smtpd(Postfix) ) in a black list, if listed mail is denied.

Am I correct here ?

NaCo

[mangueJOE]

Yes sir. You are correct. Take a look on this page: http://www.postfix.org/SMTPD_ACCESS_README.html

It explains all the smtpd access control types and why people tend to ignore all of them and use smtpd_recipient_restrictions only. Also possible problems you get by doing this.