I am using postfix+dovecot in centos 7.
I use
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient'
postconf -e 'smtpd_sender_restrictions =reject_non_fqdn_sender,reject_unknown_sender_domain,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service unix:private/policy'
postconf -e 'policy_time_limit = 3600s'
postconf -e 'policy-spf_time_limit = 3600'
to set postfix main.cf.
Notice check_policy_service unix:private/policyin smtpd_sender_restrictions,which means I prove I am using right mail domain to send mail.
I think my postconfis perfect right, but somebody said smtpd_sender_restrictions should be in smtpd_recipient_restrictions.
Should SPF added to smtpd_sender_restrictions or smtpd_recipient_restrictions?
The options will function properly in either
smtpd_sender_restrictionsorsmtpd_recipient_restrictions.The reason that you should add them to
smtpd_recipient_restrictionshas to do with the SMTP protocol itself. At each stage of the protocol, the sender first identifies itself with EHLO or HELO, then uses MAIL FROM to send the sender's email address, then RCPT TO to send the recipient's address. At each stage, Postfix can take action, e.g. withsmtpd_helo_restrictions,smtpd_sender_restrictionsandsmtpd_recipient_restrictions. But if you reject an incoming mail after the MAIL FROM, you do not know who the intended recipient is. If the mail was legitimate and the recipient complains, you cannot find them in the logs. By waiting until after the recipient address is sent, you can log all the available metadata about the message, in case you need to look it up later.