Should SPF added to smtpd_sender_restrictions or smtpd_recipient_restrictions?

kittygirl asked:

I am using postfix+dovecot in centos 7.
I use

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient'
postconf -e 'smtpd_sender_restrictions =reject_non_fqdn_sender,reject_unknown_sender_domain,reject_rbl_client,check_policy_service unix:private/policy'
postconf -e 'policy_time_limit = 3600s'
postconf -e 'policy-spf_time_limit = 3600'  

to set postfix
Notice check_policy_service unix:private/policyin smtpd_sender_restrictions,which means I prove I am using right mail domain to send mail.
I think my postconfis perfect right, but somebody said smtpd_sender_restrictions should be in smtpd_recipient_restrictions.
Should SPF added to smtpd_sender_restrictions or smtpd_recipient_restrictions?

My answer:

The options will function properly in either smtpd_sender_restrictions or smtpd_recipient_restrictions.

The reason that you should add them to smtpd_recipient_restrictions has to do with the SMTP protocol itself. At each stage of the protocol, the sender first identifies itself with EHLO or HELO, then uses MAIL FROM to send the sender’s email address, then RCPT TO to send the recipient’s address. At each stage, Postfix can take action, e.g. with smtpd_helo_restrictions, smtpd_sender_restrictions and smtpd_recipient_restrictions. But if you reject an incoming mail after the MAIL FROM, you do not know who the intended recipient is. If the mail was legitimate and the recipient complains, you cannot find them in the logs. By waiting until after the recipient address is sent, you can log all the available metadata about the message, in case you need to look it up later.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.