smtpd_sender_restrictions vs smtpd_recipient_restrictions vs smtpd_client_restriction

Discussion in 'Server Operation' started by Angelito, Feb 22, 2009.

  1. Angelito

    Angelito New Member

    I want to reject mail from spam sources aimed to my domains (local delivery) specified in:
    Code:
    virtual_mailbox_domains = example2.com, example3.net
    All mail with a destination to example2.com and example3.net is delivered locally.

    If any of the users in example2.com and/or example3.net want to use Postfix to relay mail (eg: to hotmail or yahoo mail)will have to authenticate first (SASL), if authentication is successful they are granted permission to relay mail.

    Now, as I said first I want to reject mail aimed to example2.com and/or example3.net from spam sources.(I know there could be other methods, but this thread is about smtpd_sender_restrictions vs smtpd_recipient_restrictions vs smtpd_client_restriction).

    I seen some settings that indicate setting smtpd_recipient_restrictions to block spam sources (http://www.howtoforge.com/block_spam_at_mta_level_postfix):
    Code:
    smtpd_recipient_restrictions =
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination,
                reject_rbl_client multi.uribl.com,
                reject_rbl_client dsn.rfc-ignorant.org,
                reject_rbl_client dul.dnsbl.sorbs.net,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl-xbl.spamhaus.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client ix.dnsbl.manitu.net,
                reject_rbl_client combined.rbl.msrbl.net,
                reject_rbl_client rabl.nuclearelephant.com,
                permit
    
    But for my goal, shouldn't I use smtpd_sender_restrictions(http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions) or smtpd_client_restriction(http://www.postfix.org/postconf.5.html#smtpd_client_restrictions)?

    smtpd_sender_restrictions, as stated in Postfix website, filters mails based on the MAIL FROM command; This command is easy faked by telneting an open relay and typing in this command, therefore mail cound be sent with a valid MAIL FROM address, for this reason smtpd_sender_restrictions does not seem to be my solution.

    The only option left in my hypothesis is to use smtpd_client_restrictions, which for my understanding checks the hostname or IP address of the smtpd client (the other MTA/SMTP connecting to my local smtpd(Postfix) ) in a black list, if listed mail is denied.

    Am I correct here ?

    NaCo
     
  2. mangueJOE

    mangueJOE New Member

    Yes sir. You are correct. Take a look on this page: http://www.postfix.org/SMTPD_ACCESS_README.html

    It explains all the smtpd access control types and why people tend to ignore all of them and use smtpd_recipient_restrictions only. Also possible problems you get by doing this.
     

Share This Page