Postfix Per-Client/User/etc. Access Control
Postfix restriction classes
The Postfix SMTP server supports access restrictions such as
reject_rbl_client or
reject_unknown_client_hostname on the right-hand side
of SMTP server
access(5) tables. This allows you to implement
different junk mail restrictions for different clients or users.
Having to specify lists of access restrictions for every
recipient becomes tedious quickly. Postfix restriction classes
allow you to give easy-to-remember names to groups of UCE restrictions
(such as "permissive", "restrictive", and so on).
The real reason for the existence of Postfix restriction classes
is more mundane: you can't specify a lookup table on the right-hand
side of a Postfix access table. This is because Postfix needs to
open lookup tables ahead of time, but the reader probably does not
care about these low-level details.
Example:
/etc/postfix/
main.cf:
smtpd_restriction_classes = restrictive, permissive
# With Postfix < 2.3 specify
reject_unknown_client.
restrictive =
reject_unknown_sender_domain
reject_unknown_client_hostname ...
permissive = permit
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
/etc/postfix/recipient_access:
[email protected] permissive
[email protected] restrictive
With this in place, you can use "restrictive" or "permissive"
on the right-hand side of your per-client, helo, sender, or recipient
SMTPD access tables.
The remainder of this document gives examples of how Postfix
access restriction classes can be used to:
These questions come up frequently, and the examples hopefully
make clear that Postfix restriction classes aren't really the right
solution. They should be used for what they were designed to do,
different junk mail restrictions for different clients or users.
