I am using postfix+dovecot in centos 7.
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient' postconf -e 'smtpd_sender_restrictions =reject_non_fqdn_sender,reject_unknown_sender_domain,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service unix:private/policy' postconf -e 'policy_time_limit = 3600s' postconf -e 'policy-spf_time_limit = 3600'
to set postfix main.cf.
smtpd_sender_restrictions,which means I prove I am using right mail domain to send mail.
I think my
postconfis perfect right, but somebody said
smtpd_sender_restrictions should be in
Should SPF added to smtpd_sender_restrictions or smtpd_recipient_restrictions?
The options will function properly in either
The reason that you should add them to
smtpd_recipient_restrictions has to do with the SMTP protocol itself. At each stage of the protocol, the sender first identifies itself with EHLO or HELO, then uses MAIL FROM to send the sender’s email address, then RCPT TO to send the recipient’s address. At each stage, Postfix can take action, e.g. with
smtpd_recipient_restrictions. But if you reject an incoming mail after the MAIL FROM, you do not know who the intended recipient is. If the mail was legitimate and the recipient complains, you cannot find them in the logs. By waiting until after the recipient address is sent, you can log all the available metadata about the message, in case you need to look it up later.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.