Question regarding smtpd_recipient_restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding smtpd_recipient_restrictions

J Doe
Hi,

I have a basic question regarding the smtpd_recipient_restrictions parameter.

From what I understand, these are restrictions applied to the SMTP RCP TO command.

In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?

So, as an example, if the server handles mail for example.com, do the restrictions apply to:

1. Recipients at example.com (example: [hidden email] is recipient)

2. Recipients of mail from people at example.com (example: [hidden email] -> [hidden email] where [hidden email] is recipient)

3. Both cases

Thanks,

- J
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd_recipient_restrictions

Wietse Venema
J Doe:

> Hi,
>
> I have a basic question regarding the smtpd_recipient_restrictions parameter.
>
> From what I understand, these are restrictions applied to the SMTP
> RCP TO command.
>
> In the case of a server that receives mail for a domain and also
> allows clients to send mail through it (via AUTH?d clients), does
> smtpd_recipent_restrictions apply to recipients at the domain or
> to recipients of mail sent by the AUTH?d clients or both ?

It applies to the address that the client sends in the RCPT TO command.

However it is common to whitelist clients that are authenticated:

    smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        ...other stuff...

And thus their commands may pass, while the same commands from other
clients may be blocked.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding smtpd_recipient_restrictions

Bill Cole-3
In reply to this post by J Doe
On 21 Dec 2017, at 18:06 (-0500), Doe wrote:

> In the case of a server that receives mail for a domain and also
> allows clients to send mail through it (via AUTH’d clients), does
> smtpd_recipent_restrictions apply to recipients at the domain or to
> recipients of mail sent by the AUTH’d clients or both ?

Both, although you can exempt authenticated senders from restrictions as
Wietse described.

HOWEVER, modern standard practice (defined by RFC2476, RFC4409, and
RFC6409) is to segregate initial message submission by authenticated
users from the mail coming in from the world at large, running a
distinct smtpd process listening on port 587 with mandatory
authentication and overrides of the main.cf settings. Doing this allows
you to disable authentication on the 'main' port 25 daemon and have
entirely distinct restrictions for submission and inbound SMTP
transport. If you read the documentation of the available restrictions
in Postfix and the discussion of them in the archives of this list you
can find multiple cases where a restriction that would be useful and
safe for either inbound mail or initial submission is cautioned against
because it is not safe to use for the other.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole