Postfix: smtpd_*_restrictions ending in reject

TCB13 asked:

I’ve a Postfix server running for my own email and everything works fine. While I was upgrading the machine and decided to review the security settings / read and implement some best practices online and most online tutorials tell me to set smtpd_client_restrictions under main.cf similarly to this:

smtpd_client_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_unknown_client_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org

And at the same time I also see people setting the submission service under master.cf as:

submission inet  n       -       y       -       -       smtpd
 (...)
 -o smtpd_client_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject

My question: Why does the smtpd_client_restrictions under submission ends with reject and under main.cf nobody recommends ending the list with reject? Aren’t they just the same thing according to the docs:

-o name=value (short form)
Override the named main.cf configuration parameter. The
parameter value can refer to other parameters as $name
etc., just like in main.cf. See postconf(5) for syntax.
http://www.postfix.org/master.5.html

Also,

Restrictions are applied in the order as specified; the first
restriction that matches wins. http://www.postfix.org/postconf.5.html#smtpd_client_restrictions

If “the first restriction that matches wins” rule really applies won’t ending it with reject would cause it to be impossible to send email at all?

Thank you.

My answer:


It’s redundant. If you reach the end and haven’t matched anything, the default is reject anyway. But having it there makes that explicit for people who don’t know what the default is.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.