ketan.aagja wrote:If you have set reject_sender_login_mismatch plugin activated then it will not allow such emails.
https://docs.iredmail.org/manage.iredapd.html
And another note: one has to be very carefull when modifying the smtpd_helo_restrictions. The lines are evaluated in order top to down. So in Your case, you first reject "reject_non_fqdn_helo_hostname" and then "permit_sasl_authenticated". I would perhaps do it the other way around, to allow what ever hostname as long as they can log in using SASL, and then reject. But that's really up to Your environment to figure out what fits the best.
Regards,
Yes I know the order and how it works, but if you want to stop majority of mismatching hosts that is the first point which will stop them. However in my case it is working flawlessly.
OK, fine with me.
For those of You finding this discusion later on:
Adding
reject_non_fqdn_helo_hostname
before
permit_sasl_authenticated
permit_mynetworks
effectivly drops any connections from misconfigured IMAP email clients (in the SMTP sending phase). If they dont send the FQDN in te EHLO phase, they are rejected.
If you are only using Roundcube/SOGo Web GUI, then you are fine.
The Postfix foras (elsewhere) shows various examples how to configure this, and the implications it might have.
Also check http://www.postfix.org/SMTPD_ACCESS_README.html
The evaluation order of the postfix access restriction lists are:
client, helo, sender, relay, recipient, data, or end-of-data
As soon as a restriction states REJECT or DEFER, the rest of the restriction lists are skipped. Thats why having a "PERMIT" statement in the top works like a white listening, for the more restrictive REJECT statements later on.
So in short: smtp_sender_restrictions are evaluated AFTER smtp_helo-retrictions (correct me if I'm wrong)
brgrds, I