Re: smtpd_recipient_restrictions -- Best Practices
On 12/8/2011 2:04 PM, Peter L. Berghold wrote:
> Hi folks,
> Hope this isn't too dumb a question, but here goes:
> Is there are "best practice" concerning the ordering of the directives
> to the right hand side of the "=" for smtpd_recipient_restrictions?
> The reason I'm asking is I added a set of lines for RBL reverse DNS and
> they don't seem to be having any effect.
Can you send us the smtpd_recipient_restrictions line from your main.cf?
Might help to see how you have them ordered and what else you may be
able to add to help benefit you.
On Thursday 08 December 2011 13:04:13 Peter L. Berghold wrote:
> Is there are "best practice" concerning the ordering of the
> directives to the right hand side of the "=" for
Consider the relative costs of the restrictions. For example, a hash:
table access(5) lookup will have very little cost, whereas a
reject_rbl_client restriction incurs the delay and bandwidth of a DNS
Furthermore, be aware of the potential problem of 'permit' results
allowing open relay:
On 12/8/2011 2:17 PM, Peter L. Berghold wrote:
> smtpd_recipient_restrictions =
This restriction at this location will IGNORE all RBL lookups when mail
is destined for your system.
I suggest removing it as it is implied if reject_unauth_destination
fails to reject.
"If the destination is served by this host, accept the mail."
"If the destination is NOT hosted here, reject the mail."
Nothing goes past this point, ever.
> check_sender_access hash:/etc/postfix/access,
Bad practice to use a file name "access"; name it for the function it
serves and/or the type of lookup: "sender_access" makes sense.
Furthermore, sender address lookups are very ineffective against spam,
if that was the goal in having it here; and unsafe in whitelisting, if
that was the goal.
Needs to come before reject_unauth_destination, if it is to have any
Okay, except per above that this is never evaluated,
"It's déjà vu all over again", and what's worse, DSBL shut down in
2008, over three years ago! Were you following some old howto? That
does not work in email land. Spammers change frequently, as do the
antispam tools at our disposal.
> reject_rbl_client opm.blitzed.org,
I can't remember when this one closed. Before DSBL, I think.
SBL is included in SBL-XBL, and CBL (above) is included in the latter.
In addition, all of these are included in the newer (and recommended)
The answer to your original question is that permit_auth_destination
prevents any other restrictions from being used.
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header