<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>Spam Control Configurations: Smtpd restriction</TITLE>
 <LINK HREF="postfix_spamctrl-3.html" REL=previous>
 <LINK HREF="postfix_spamctrl.html#toc4" REL=contents>
</HEAD>
<BODY>
Next
<A HREF="postfix_spamctrl-3.html">Previous</A>
<A HREF="postfix_spamctrl.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4. Smtpd restriction</A></H2>

<P>
<P>
<DL>
<DT><B>Smtpd etrn restriction</B><DD><P>The "Smtpd etrn restriction" option restricts what clients are
allowed to issue the ETRN command. The present Postfix ETRN differs
from other ETRN implementations in that it flushes mail for all
destinations. This will change in the future.
<P>The default is to allow ETRN from any host.  The following restrictions
are available:
<P>-reject the request if the client hostname is unknown.
-permit if the client address matches "Networks".
-check_client_access maptype:mapname
-maptype:mapname: look up client name, parent domains, client address,
or networks obtained by stripping octets.
Reject if result is REJECT or "[45]xx text"
Permit otherwise.
-reject if the client is listed under Maps rbl domains".
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
<P>This option sets the "smtpd_etrn_restriction" postfix variable.
<P>
<DT><B>Smtpd sender restriction</B><DD><P>The "Smtpd sender restriction" option specifies optional restrictions
on sender addresses that SMTP clients can send in MAIL FROM commands.
<P>The default is to permit any sender address.  The following
restrictions are available:
<P>-permit if the client address matches "Networks".
-reject the request if the client hostname is unknown.
-reject if the client is listed under $maps_rbl_domains.
-reject HELO hostname with bad syntax.
-reject HELO hostname without DNS A or MX record.
-reject sender domain without A or MX record.
-check_sender_access maptype:mapname
-maptype:mapname: look up sender address, parent domain, or localpart@.
Reject if result is REJECT or "[45]xx text"
Permit otherwise.
-check_client_access maptype:mapname: see smtpd_client_restrictions.
-check_helo_access maptype:mapname: see smtpd_helo_restrictions.
-reject HELO hostname that is not in FQDN form
-reject sender address that is not in FQDN form
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
<P>Restrictions are applied in the order as specified; the first
restriction that matches wins.
This option sets the "smtpd_sender_restriction" postfix variable.
<P>
<DT><B>Smtpd client restriction</B><DD><P>The "Smtpd client restriction" option specifies optional restrictions
on SMTP client host names and addresses.
<P>The default is to allow connections from any host.  The following
restrictions are available:
<P>-reject the request if the client hostname is unknown.
-permit if the client address matches "Networks".
-check_client_access maptype:mapname
-maptype:mapname: look up client name, parent domains, client address,
or networks obtained by stripping octets.
Reject if result is REJECT or "[45]xx text"
Permit otherwise.
-reject if the client is listed under $maps_rbl_domains.
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
<P>Restrictions are applied in the order as specified; the first
restriction that matches wins.
This option sets the "smtpd_client_restriction" postfix variable.
<P>
<DT><B>Smtpd helo restriction</B><DD><P>The smtpd_helo_restrictions parameter specifies optional restrictions
on what SMTP clients can send in SMTP HELO and EHLO commands.
<P>The default is to permit everything.  The following restrictions
are available:
<P>-permit if the client address matches $mynetworks.
-reject the request if the client hostname is unknown.
-reject if the client is listed under "Maps rbl domains".
-reject HELO hostname with bad syntax.
-reject HELO hostname without DNS A or MX record.
-reject HELO hostname that is not in FQDN form
-check_helo_access maptype:mapname
-look up HELO hostname or parent domains.
Reject if result is REJECT or "[45]xx text"
Permit otherwise.
-check_client_access maptype:mapname: see "Smtpd client restrictions".
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
<P>Restrictions are applied in the order as specified; the first
restriction that matches wins.
This option sets the "smtpd_helo_restrictions" postfix variable.
<P>
<DT><B>Smtpd recipient restriction</B><DD><P>The "Smtpd recipient restriction" option specifies restrictions on
recipient addresses that SMTP clients can send in RCPT TO commands.
<P>By default, Postfix relays mail
- from trusted clients whose IP address matches "Networks",
- from trusted clients matching "Relay domains" or subdomains thereof,
- from untrusted clients to destinations that match "Relay domains"
or subdomains thereof, except addresses with sender-specified routing.
The default relay_domains value is "Destination".
<P>In addition to the above, the Postfix SMTP server by default accepts mail
that Postfix is final destination for:
- destinations that match "Network Interface",
- destinations that match "Destination"
- destinations that match "Virtual maps".
These destinations do not need to be listed in "Relay domains".
<P>The following restrictions are available (* is part of default setting):
<P>-*permit if the client address matches $mynetworks.
-reject the request if the client hostname is unknown.
-reject if the client is listed under $maps_rbl_domains.
-reject HELO hostname with bad syntax.
-reject HELO hostname without DNS A or MX record.
-reject sender domain without A or MX record.
-*check_relay_domains: permit only mail
- to destinations matching "Network Interface", "Destination",
or "Virtual maps",
- from trusted clients matching "Relay domains" or subdomain thereof,
- from untrusted clients to destinations matching "Relay domains" or
subdomain thereof (except addresses with sender-specified routing),
Reject anything else.
-permit auth destination: permit mail
- to destinations matching "Network Interface", "Destination"
or "Virtual Maps.
- to destinations matching "Relay Domains" or subdomain thereof,
except for addresses with sender-specified routing.
-reject mail unless it is sent
- to destinations matching "Network Interface", "Destination"
or $virtual_maps.
- to destinations matching $relay_domains or subdomain thereof,
except for addresses with sender-specified routing.
-reject mail from improperly pipelining spamware
-accept mail for sites that list me as MX host.
-reject domains without A or MX record.
-check_recipient_access maptype:mapname
-maptype:mapname: look up recipient address, parent domain, or localpart@.
Reject if result is REJECT or "[45]xx text"
Permit otherwise.
-check_client_access maptype:mapname: see "Smtpd client restrictions".
-check_helo_access maptype:mapname: see "Smtpd helo restrictions".
-check_sender_access maptype:mapname: see "Smtpd sender restrictions"
-reject HELO hostname that is not in FQDN form.
-reject sender address that is not in FQDN form.
-reject recipient address that is not in FQDN form.
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
<P>Restrictions are applied in the order as specified; the first
restriction that matches wins.
This option sets the "smtpd_recipient_restrictions" postfix variable.
<P>NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING RESTRICTIONS
OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL:
</DL>
<HR>
Next
<A HREF="postfix_spamctrl-3.html">Previous</A>
<A HREF="postfix_spamctrl.html#toc4">Contents</A>
</BODY>
</HTML>