Postfix - restrictions

[Petr Stepanek]

Hello,

could somebody explain me what is the purpose of this part in main.cf.in file?

smtpd_sender_restrictions =
        check_client_access     cidr:/etc/postfix/clientaccess
        check_recipient_access  regexp:/etc/postfix/rcptaccess

smtpd_recipient_restrictions =
[%- IF postfix.usepolicy %] check_sender_access  regexp:/etc/postfix/senderaccess[% END %]
[%- IF postfix.usepolicy %] check_client_access  cidr:/etc/postfix/clientaccess[% END %]

I thought that "check_client_access" is applicable only in "smtpd_client_restrictions", "check_sender_access" only in "smtpd_sender_restrictions" and "check_recipient_access" only in "smtpd_recipient_restrictions".

Thank you for explanation.

Petr

 

[dietmar]

I thought that "check_client_access" is applicable only in "smtpd_client_restrictions", "check_sender_access" only in "smtpd_sender_restrictions" and "check_recipient_access" only in "smtpd_recipient_restrictions".

Don't think so. Or do you have a real problem with the white/backliste settings?

 

[Petr Stepanek]

Don't think so. Or do you have a real problem with the white/backliste settings?

No, I only wanted to understand it.

But I have problem with "smtpd_helo_restrictions". I am still receiving "Helo command rejected: need fully-qualified hostname" event though I have my IP address in mynetworks. I thought that this configuration says that there is no helo checks for client which is in "mynetworks".

smtpd_helo_restrictions =
        permit_mynetworks
        reject_non_fqdn_helo_hostname
        reject_invalid_helo_hostname

 

[dietmar]

An IP address is not a domain name.

 

[Petr Stepanek]

Of course. I interchanged "helo" with "client" restrictions.

Thank you dietmar!

 

[dietmar]

Maybe you connect to the wrong port?

 

[Petr Stepanek]

I don't think so. I need to skip helo check for one server which will mail to my relay domains - common external connection (TCP 25). I thought that if I use "permit_mynetworks" in helo restriction and this server will have IP address which is in "mynetworks" next helo restrictions will be skipped.

 

[dietmar]

Th internal port is configured with (master.cf):

26 inet n - - - 99 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=

So there should be no helo restriction at all. So I really think you connect toö the wrong port.

 

[Petr Stepanek]

You are right. If I used port 26 I would not have problem but it is not my server. It is foreign server with misconfigured helo header so I am not able to force them to connect to port 26. I hoped that insert IP address of this server to mynetworks resolve this issue.

 

[Petr Stepanek]

I found nice explanation here.