Postfix: smtpd_*_restrictions ending in reject

TCB13 asked:

I’ve a Postfix server running for my own email and everything works fine. While I was upgrading the machine and decided to review the security settings / read and implement some best practices online and most online tutorials tell me to set smtpd_client_restrictions under similarly to this:

smtpd_client_restrictions = 

And at the same time I also see people setting the submission service under as:

submission inet  n       -       y       -       -       smtpd
 -o smtpd_client_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject

My question: Why does the smtpd_client_restrictions under submission ends with reject and under nobody recommends ending the list with reject? Aren’t they just the same thing according to the docs:

-o name=value (short form)
Override the named configuration parameter. The
parameter value can refer to other parameters as $name
etc., just like in See postconf(5) for syntax.


Restrictions are applied in the order as specified; the first
restriction that matches wins.

If “the first restriction that matches wins” rule really applies won’t ending it with reject would cause it to be impossible to send email at all?

Thank you.

My answer:

It’s redundant. If you reach the end and haven’t matched anything, the default is reject anyway. But having it there makes that explicit for people who don’t know what the default is.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.