Loading ...
Sorry, an error occurred while loading the content.

295119Re: reject_unauth_destination

Expand Messages
  • Noel Jones
    Aug 31, 2013
    • 0 Attachment
      On 8/31/2013 2:55 AM, LuKreme wrote:
      > Is there any downside to using reject_unauth_destination? I had it commented out but I did not have a note on why it was disabled. Reading the description, it seems like it should always be turned on (or at least that it couldn't possibly hurt)?
      >
      > <http://www.postfix.org/postconf.5.html#reject_unauth_destination>

      reject_unauth_destination is what keeps you from being an open
      relay, and is required in either smtpd_recipient_restrictions or
      (postfix 2.10 and newer) smtpd_relay_restrictions.

      I expect you commented it out in smtpd_recipient_restrictions when
      you upgraded to postfix 2.10, but it's a very cheap test and there's
      no reason to remove it.

      >
      > Is it even going to trigger with Postscreen in place?

      postscreen doesn't do any destination tests, and by design cannot
      prevent relaying.

      I would recommend leaving it in smtpd_recipient_restrictions, and
      you MUST leave it in smtpd_relay_restrictions.



      >
      > (for now I've stuck warn_if_ in front of it)
      >
      > my smtpd_*_restrictions (mail_version = 2.10.0)
      >
      > smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
      >
      > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
      >
      > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, warn_if_reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, check_client_access hash:$config_directory/access, permit
      >
      > smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

      the above is acceptable.

      >
      >
      > Can I just go with
      >
      > smtpd_recipient_restrictions = reject_unauth_destination,permit
      > smtpd_relay_restrictions =

      This will work -- you can even drop the "permit", which is implied
      -- but most folks find it useful to prepend permit_mynetworks even
      if mynetworks only contains localhost IPs.


      >
      > and in master.cf
      > submission inet n - n - - smtpd
      > -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
      > -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
      > -o smtpd_sasl_security_options=noanonymous

      OK.

      > -o smtpd_sasl_local_domain=$myhostname

      I don't think this parameter is used by dovecot. (unused parameters
      rarely cause problems other than operator confusion)

      > -o smtpd_client_restrictions=permit_sasl_authenticated,reject

      you'll need to override the other smtpd_*_restrictions set in main.cf.
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

      > -o syslog_name=submit-tls

      Good.


      >
      > ?
      >
      > and is client_restrictions the best choice for submission? I've see some confs have both
      >
      > -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      > -o smtpd_data_restrictions=permit_sasl_authenticated,reject
      >
      > Why?
      >

      Remember, for mail to be accepted, it must pass *each* of the
      smtpd_*_restrictions sections. Also remember that every master.cf
      service inherits {built-in defaults + all main.cf settings} before
      applying any -o overrides.

      How you arrange your submission settings is up to you. I like to
      explicitly set all the smtpd_*_restrictions in submission, even if
      most of them are empty, to prevent surprises later when I change
      something in main.cf.

      I think the minimum requirements for submission can be stated as 1)
      allow all AUTH users, 2) reject everyone else. With widely used
      postfix main.cf smtpd_*_restrictions settings that prepend
      everything with "permit_mynetworks, permit_sasl_authenticated", (and
      thereby allow AUTH on port 25) it's sufficient to use "-o
      smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject" and
      still meet the minimum requirements.

      When you change your main.cf so that AUTH is not allowed on port 25,
      then additional settings are required in master.cf/submission to
      insure you don't reject AUTH users.



      -- Noel Jones
    • Show all 9 messages in this topic