Postfix - restrictions

Discussion in 'Mail Gateway: Installation and configuration' started by Petr Stepanek, Dec 9, 2018.

  1. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    Hello,

    could somebody explain me what is the purpose of this part in main.cf.in file?

    Code:
    smtpd_sender_restrictions =
            check_client_access     cidr:/etc/postfix/clientaccess
            check_recipient_access  regexp:/etc/postfix/rcptaccess
    
    smtpd_recipient_restrictions =
    [%- IF postfix.usepolicy %] check_sender_access  regexp:/etc/postfix/senderaccess[% END %]
    [%- IF postfix.usepolicy %] check_client_access  cidr:/etc/postfix/clientaccess[% END %]
    
    I thought that "check_client_access" is applicable only in "smtpd_client_restrictions", "check_sender_access" only in "smtpd_sender_restrictions" and "check_recipient_access" only in "smtpd_recipient_restrictions".

    Thank you for explanation.

    Petr
     
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,449
    Likes Received:
    306
    Don't think so. Or do you have a real problem with the white/backliste settings?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    No, I only wanted to understand it.

    But I have problem with "smtpd_helo_restrictions". I am still receiving "Helo command rejected: need fully-qualified hostname" event though I have my IP address in mynetworks. I thought that this configuration says that there is no helo checks for client which is in "mynetworks".
    Code:
    smtpd_helo_restrictions =
            permit_mynetworks
            reject_non_fqdn_helo_hostname
            reject_invalid_helo_hostname
    
     
  4. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,449
    Likes Received:
    306
    An IP address is not a domain name.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    Of course. I interchanged "helo" with "client" restrictions.

    Thank you dietmar!
     
  6. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,449
    Likes Received:
    306
    Maybe you connect to the wrong port?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    I don't think so. I need to skip helo check for one server which will mail to my relay domains - common external connection (TCP 25). I thought that if I use "permit_mynetworks" in helo restriction and this server will have IP address which is in "mynetworks" next helo restrictions will be skipped.
     
  8. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,449
    Likes Received:
    306
    Th internal port is configured with (master.cf):

    26 inet n - - - 99 smtpd
    -o content_filter=scan:127.0.0.1:10023
    -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=

    So there should be no helo restriction at all. So I really think you connect toƶ the wrong port.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    You are right. If I used port 26 I would not have problem but it is not my server. It is foreign server with misconfigured helo header so I am not able to force them to connect to port 26. I hoped that insert IP address of this server to mynetworks resolve this issue.
     
  10. Petr Stepanek

    Petr Stepanek New Member

    Joined:
    Nov 1, 2018
    Messages:
    18
    Likes Received:
    2
    I found nice explanation here.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice