postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: sanity check request

Re: sanity check request

From: Victor Duchovni <Victor.Duchovni_at_nospam>
Date: Thu Oct 28 2010 - 19:06:26 GMT

On Thu, Oct 28, 2010 at 08:42:27PM +0200, Ansgar Wiechers wrote:

> On 2010-10-28 Jeroen Geilman wrote:
> > On 10/28/2010 06:04 PM, Robert Fantini wrote:
> >> smtpd_recipient_restrictions =
> >> permit_mynetworks,
> >> permit_sasl_authenticated,
> >
> > You need to swap those two to be able to send authenticated mail from
> > outside your network.
> Huh? Please elaborate.

Nothing to elaborate, "permit_mumble" restrictions commute, the only
possible difference is performance. If one is inclined to fine-tune
lookup performance, of two equal cost criteria, the one that permits
more legitimate traffic should be listed first. If a particular
restriction is more costly to evaluate (lookup latency, CPU time, ...)
it should generally be listed after cheaper ones when the order is
otherwise immaterial.

In this case, the "permit_sasl_authenticated" just checks internal
memory state, while permit_mynetworks may consult file or DB tables,
so in some cases putting the SASL check first is slightly more performant.
It is very unlikely that the order actually matters, the mynetworks lookup
would have to be particularly slow and the SASL user traffic very high.

-- Viktor.