Loading ...
Sorry, an error occurred while loading the content.

Re: Smtp policy

Expand Messages
  • Eduardo Kienetz
    ... It is not the case. Have already tested using telnet. -- Eduardo Bacchi Kienetz http://www.noticiaslinux.com.br/eduardo/
    Message 1 of 22 , Feb 28, 2007
    • 0 Attachment
      On 2/28/07, mouss <mlist.only@...> wrote:
      > if you allow relay based on the sender address, then you become an open
      > relay, because sender addresses may be forged.

      It is not the case. Have already tested using telnet.

      --
      Eduardo Bacchi Kienetz
      http://www.noticiaslinux.com.br/eduardo/
    • mouss
      ... if you allow relay based on the sender address, then you become an open relay, because sender addresses may be forged.
      Message 2 of 22 , Feb 28, 2007
      • 0 Attachment
        Eduardo Kienetz wrote:
        > On 2/21/07, Victor Duchovni <Victor.Duchovni@...> wrote:
        >> On Wed, Feb 21, 2007 at 05:58:01PM -0300, Eduardo Kienetz wrote:
        >>
        >> > On 2/21/07, Noel Jones <njones@...> wrote:
        >> > >At 01:50 PM 2/21/2007, Eduardo Kienetz wrote:
        >> > >
        >> > >>Here is my mynetworks:
        >> > >>mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
        >> > >>200.xx.x12.x88/32, 2xx.3.1x6.xx
        >> > >>...
        >> > >>Received: from wr-out-0506.google.com (localhost [127.0.0.1])
        >> > >> by wall.ourdomain.com.br (Postfix) with ESMTP id 2CE6B41
        >> > >> for <someuser@...>; Wed, 21 Feb 2007 16:37:23
        >> -0300
        >> > >(BRT)
        >> > >
        >> > >Does postfix log all incoming connections as coming from localhost?
        >> >
        >> > Indeed.
        >> >
        >> > >Oh, I see:
        >> > >>Received: from 64.233.184.228 ([64.233.184.228]
        >> > >helo=wr-out-0506.google.com)
        >> > >> by ASSP; 21 Feb 2007 16:37:23 -0300
        >> > >
        >> > >Your ASSP is screwing up the connection information.
        >> >
        >> > That's it.
        >> >
        >> > >Remove 127.0.0.0/8 from mynetworks.
        >> >
        >> > Did it, but couldn't keep because webmail (squirrelmail) clients get
        >> > relay access denied D:
        >> > So I'd probably have to use a restriction class so that the 'From:' is
        >> > checked?
        >>
        >> That makes you an open proxy. You must not lose the origin address, or
        >> must arrange for clients that are allowed to relay to reach a different
        >> (protected) IP:port.
        >>
        >> --
        >> Viktor.
        >
        > Could you explain better what you mean by 'open proxy' (giving example
        > maybe) ?
        > Thanks for your time.
        >
        > BTW, I have this and many servers running for years without problems.
        > I'm really interested.
        >

        if you allow relay based on the sender address, then you become an open
        relay, because sender addresses may be forged.
      • Victor Duchovni
        ... Tests can t prove universal statements, they can only prove existential statements. Testable: - This test will succeed Not testable: - All future tests
        Message 3 of 22 , Feb 28, 2007
        • 0 Attachment
          On Wed, Feb 28, 2007 at 08:03:19PM -0300, Eduardo Kienetz wrote:

          > On 2/28/07, mouss <mlist.only@...> wrote:
          > >if you allow relay based on the sender address, then you become an open
          > >relay, because sender addresses may be forged.
          >
          > It is not the case. Have already tested using telnet.

          Tests can't prove universal statements, they can only prove existential
          statements.

          Testable:

          - This test will succeed

          Not testable:

          - All future tests will succeed

          Perhaps you should post your final configuraration and explain the choices
          you made and why you believe they are sound.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Eduardo Kienetz
          ... alias_maps = $virtual_alias_maps body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes command_directory = /usr/sbin
          Message 4 of 22 , Feb 28, 2007
          • 0 Attachment
            On 2/28/07, Victor Duchovni <Victor.Duchovni@...> wrote:
            > On Wed, Feb 28, 2007 at 08:03:19PM -0300, Eduardo Kienetz wrote:
            > > On 2/28/07, mouss <mlist.only@...> wrote:
            > > >if you allow relay based on the sender address, then you become an open
            > > >relay, because sender addresses may be forged.
            > >
            > > It is not the case. Have already tested using telnet.
            >
            > Tests can't prove universal statements, they can only prove existential
            > statements.
            >
            > Testable:
            > - This test will succeed
            >
            > Not testable:
            > - All future tests will succeed
            >
            > Perhaps you should post your final configuraration and explain the choices
            > you made and why you believe they are sound.
            >
            > Viktor.
            alias_maps = $virtual_alias_maps
            body_checks = regexp:/etc/postfix/body_checks
            broken_sasl_auth_clients = yes
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            daemon_directory = /usr/libexec/postfix
            debug_peer_level = 2
            header_checks = regexp:/etc/postfix/header_checks
            home_mailbox = Maildir/
            html_directory = /etc/postfix/html
            inet_interfaces = all
            mail_owner = postfix
            mail_spool_directory = /var/spool/mail
            mailbox_command = /usr/lib/courier-imap/bin/deliverquota -w 90
            10000000S ~/Maildir
            mailq_path = /usr/bin/mailq
            manpage_directory = /usr/local/man
            message_size_limit = 8000000
            mydestination = $transport_maps
            mydomain = germani.com.br
            myhostname = germaniwall.germani.com.br
            mynetworks = 192.168.0.0/24, 127.0.0.0/8, 128.2.0.0/24,
            200.xx.xx.x/32, 201.x.x.x
            myorigin = $mydomain
            newaliases_path = /usr/bin/newaliases
            queue_directory = /var/spool/postfix
            readme_directory = /etc/postfix/readme
            sample_directory = /etc/postfix
            sendmail_path = /usr/sbin/sendmail
            setgid_group = postdrop
            smtpd_banner = $myhostname ESMTP
            smtpd_recipient_restrictions = permit_mynetworks,
            check_recipient_access mysql:/etc/postfix/mysql_check_recipients.cf,
            permit_sasl_authenticated, reject_unauth_destination,
            reject_unauth_pipelining, reject_invalid_hostname
            smtpd_sasl_auth_enable = yes
            smtpd_sasl_local_domain = $myhostname
            smtpd_sasl_security_options = noanonymous
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
            virtual_gid_maps = static:102
            virtual_mailbox_base = /mails
            virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
            virtual_mailbox_limit = 51200000
            virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
            virtual_minimum_uid = 1001
            virtual_transport = virtual
            virtual_uid_maps = static:1001

            Thanks for your consideration,

            --
            Eduardo Bacchi Kienetz
            http://www.noticiaslinux.com.br/eduardo/
          • Eduardo Kienetz
            ... crap! :) -- Eduardo Bacchi Kienetz http://www.noticiaslinux.com.br/eduardo/
            Message 5 of 22 , Feb 28, 2007
            • 0 Attachment
              > mydomain = germani.com.br
              > myhostname = germaniwall.germani.com.br

              crap! :)

              --
              Eduardo Bacchi Kienetz
              http://www.noticiaslinux.com.br/eduardo/
            • Steven Wayne
              ... I don t get it. Steven. -- Your fault -- core dumped
              Message 6 of 22 , Mar 1, 2007
              • 0 Attachment
                On Wed, Feb 28, 2007 at 08:18:48PM -0300, Eduardo Kienetz wrote:
                >
                > >mydomain = germani.com.br
                > >myhostname = germaniwall.germani.com.br
                >
                > crap! :)
                >

                I don't get it.

                Steven.
                --
                Your fault -- core dumped
              • Eduardo Kienetz
                ... Personal server information should not be disclosed to public mailing lists ;) Specially security related stuff. I should have replaced that info but it
                Message 7 of 22 , Mar 1, 2007
                • 0 Attachment
                  On 3/1/07, Steven Wayne <postfix-email@...> wrote:
                  > On Wed, Feb 28, 2007 at 08:18:48PM -0300, Eduardo Kienetz wrote:
                  > >
                  > > >mydomain = germani.com.br
                  > > >myhostname = germaniwall.germani.com.br
                  > >
                  > > crap! :)
                  > >
                  >
                  > I don't get it.
                  >
                  > Steven.

                  'Personal' server information should not be disclosed to public mailing lists ;)
                  Specially security related stuff.
                  I should have replaced that info but it slipped through.

                  --
                  Eduardo Bacchi Kienetz
                  http://www.noticiaslinux.com.br/eduardo/
                Your message has been successfully submitted and would be delivered to recipients shortly.