Postfix SMTP Client Restrictions

SYSTEM INFORMATION
OS type and version Rocky Linux 9
Virtualmin version 2.202

Would anyone be able to advise what the below field actually does and possibly what version it was added to Webmin in? I have an older device on Webmin 2.1 and it doesn’t appear to have this field. Didn’t know if it was a version difference or a configuration difference.

Ok so I’ve figured out how to access this field but is there any documentation for what to put in it? Currently it’s just the word ‘reject’.

https://quantumwarp.com/kb/articles/34-web-server/1016-my-virtualmin-notes

Just search on this page I did a whole section on setting up postfix including explanations.

Hi Shoulders,

That’s very helpful thank you. So if I have understood correctly, you could have ‘reject’ in Other Restrictions to essentially say “if it’s not been caught by previous restrictions but (for example) it’s not in the ‘mynetworks’ list then just reject it anyway”?

in the rules when the keyword reject is hit, the email is immediately rejected, no more tests are done.

The idea behind reject is that in a particular policy (SMTP access restriction Policy, smtpd_client_restrictions, etc… ) you can have a load of tests and if one of them is met positively, postfix moves on to the next rule set, however when postfix gets to the end of a policy and no test has been met positively or negatively it will also move on to the next policy by default. So you use reject at the end to say if no test have been met positively (or negative) then fail here, postfix will not move on to the next policy and the email will be failed.

It is there to explicitly fail messages so you can enforce your rule sets as required.

reject is not always needed. If you look at my policy rules I made these from the postfix manual and a lot of research.

consider this line

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated

If the email was sent either by an authenticated user or from your allowed networks it will be allowed, if it is not the email is currently not allowed but postfix will move onto the next policy and continue testing.

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname

This is the same as above but if there is an issue with the hostname from where the email was sent such as the DNS lookup fails, then the email is failed.

lastly consider this line

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated reject, reject

If the email is not from your allowed networks or an authenticated user then fail.

i think the reason I don’t use reject here is because it will cause issues with email relaying (i.e. sending emails outside of your network).

so as you can see reject can be very useful in certain circumstances but should used with caution and/or testing.

That’s very helpful thank you. So if I have understood correctly, you could have ‘reject’ in Other Restrictions to essentially say “if it’s not been caught by previous restrictions but (for example) it’s not in the ‘mynetworks’ list then just reject it anyway”?

Yes

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.