It's a question out of curiosity rather than necessity. What should happen say I place sender access map inside smtpd_client_restrictions and also place client access map in smtpd_sender_restrictions and set delay_reject to no. My understanding is that:

  1. When the postfix will try to match the hash maps on client connect it should fail as there is sender address present at the time of matching (so I guess it'll pass to next restriction with DUNNO).
  2. But this will be applied before any sender_restriction once sender address is present.
  3. Sender restriction will be ignored till Mail From command is sent and after that the client white list (access map) will get evaluated.
  4. In the meanwhile all the commands will still go to smtpd milters so they can block emails even before smtpd sender_restriction.

Please see if and where I am wrong.

1 Answer 1


Yup, those nonsensical with smtpd_delay_reject=no are ignored, as per postconf(5):

When helo, sender or recipient restrictions are listed under smtpd_client_restrictions, they have effect only with "smtpd_delay_reject = yes", so that $smtpd_client_restrictions is evaluated at the time of the RCPT TO command.

Which is okay if you duplicate those lookups elsewhere, and a really sweet footgun otherwise.

  • I have used to put almost everything in smtpd_recipient_restrictions to be evaluated after RCPT TO, but smtpd_delay_reject already does it for me and is turned on by default! Didn't think I would learn something new on Postfix. Thanks! 1 hour ago

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .