in the rules when the keyword reject
is hit, the email is immediately rejected, no more tests are done.
The idea behind reject
is that in a particular policy (SMTP access restriction Policy, smtpd_client_restrictions, etc… ) you can have a load of tests and if one of them is met positively, postfix moves on to the next rule set, however when postfix gets to the end of a policy and no test has been met positively or negatively it will also move on to the next policy by default. So you use reject
at the end to say if no test have been met positively (or negative) then fail here, postfix will not move on to the next policy and the email will be failed.
It is there to explicitly fail messages so you can enforce your rule sets as required.
reject
is not always needed. If you look at my policy rules I made these from the postfix manual and a lot of research.
consider this line
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
If the email was sent either by an authenticated user or from your allowed networks it will be allowed, if it is not the email is currently not allowed but postfix will move onto the next policy and continue testing.
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname
This is the same as above but if there is an issue with the hostname from where the email was sent such as the DNS lookup fails, then the email is failed.
lastly consider this line
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated reject, reject
If the email is not from your allowed networks or an authenticated user then fail.
i think the reason I don’t use reject
here is because it will cause issues with email relaying (i.e. sending emails outside of your network).
so as you can see reject
can be very useful in certain circumstances but should used with caution and/or testing.
That’s very helpful thank you. So if I have understood correctly, you could have ‘reject’ in Other Restrictions to essentially say “if it’s not been caught by previous restrictions but (for example) it’s not in the ‘mynetworks’ list then just reject it anyway”?
Yes