Loading ...
Sorry, an error occurred while loading the content.

Accept mail for postmaseter, abuse while denying else

Expand Messages
  • Andrew Long
    I now have this server pretty much denying everything except relay for a (relay-ip) list of sites. My problem is that the server is apparently rejecting mail
    Message 1 of 7 , Nov 1, 2007
    • 0 Attachment
      I now have this server pretty much denying everything except relay for a (relay-ip) list of sites. My problem is that the server is apparently rejecting mail for <postmaster@...> and likely for <abuse@> also. How can I accept mail for these local users while denying all else?

      # 2007-11-01 - postconf -n
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      html_directory = no
      local_recipient_maps =
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination = localhost.localdomain, host.domain.com
      mynetworks = 127.0.0.0/8, /etc/postfix/relay-ip
      newaliases_path = /usr/bin/newaliases.postfix
      readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
      relay_domains =
      sample_directory = /usr/share/doc/postfix-2.2.10/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_banner = $myhostname ESMTP $mail_name
      smtpd_client_restrictions =
      permit_mynetworks,
      reject_invalid_hostname,
      reject_unknown_sender_domain,
      reject_non_fqdn_recipient,
      reject_rbl_client bl.spamcop.net,
      permit
      smtpd_helo_required = yes
      smtpd_recipient_restrictions =
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      reject
      smtpd_reject_unlisted_sender = yes
      unknown_local_recipient_reject_code = 550

      Regards,

      Andrew
    • mouss
      ... here add: reject_unauth_destination check_recipient_access hash:/etc/postfix/roleaccount # cat roleaccount postmaster@example.com OK abuse@example.com OK
      Message 2 of 7 , Nov 1, 2007
      • 0 Attachment
        Andrew Long wrote:
        > I now have this server pretty much denying everything except relay for a (relay-ip) list of sites. My problem is that the server is apparently rejecting mail for <postmaster@...> and likely for <abuse@> also. How can I accept mail for these local users while denying all else?
        >
        > # 2007-11-01 - postconf -n
        > alias_maps = hash:/etc/aliases
        > command_directory = /usr/sbin
        > config_directory = /etc/postfix
        > daemon_directory = /usr/libexec/postfix
        > debug_peer_level = 2
        > html_directory = no
        > local_recipient_maps =
        > mailq_path = /usr/bin/mailq.postfix
        > manpage_directory = /usr/share/man
        > mydestination = localhost.localdomain, host.domain.com
        > mynetworks = 127.0.0.0/8, /etc/postfix/relay-ip
        > newaliases_path = /usr/bin/newaliases.postfix
        > readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
        > relay_domains =
        > sample_directory = /usr/share/doc/postfix-2.2.10/samples
        > sendmail_path = /usr/sbin/sendmail.postfix
        > setgid_group = postdrop
        > smtpd_banner = $myhostname ESMTP $mail_name
        > smtpd_client_restrictions =
        > permit_mynetworks,
        > reject_invalid_hostname,
        > reject_unknown_sender_domain,
        > reject_non_fqdn_recipient,
        > reject_rbl_client bl.spamcop.net,
        > permit
        > smtpd_helo_required = yes
        > smtpd_recipient_restrictions =
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_unknown_recipient_domain,
        > permit_mynetworks,

        here add:

        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/roleaccount

        # cat roleaccount
        postmaster@... OK
        abuse@... OK
        # postmap roleaccount

        the reject_unauth_destination is a safety measure, keep it to avoid
        accidentally becoming an open relay.

        > reject
        >

        so this server does not accept mail from the public. it should thus not
        be listed as an MX in DNS.
      • Benny Pedersen
        ... make sure abuse and postmaster is in aliases i hope :) postmap -q abuse hash:/etc/aliases --
        Message 3 of 7 , Nov 1, 2007
        • 0 Attachment
          On Thu, November 1, 2007 12:27, Andrew Long wrote:
          > I now have this server pretty much denying everything except relay for a
          > (relay-ip) list of sites. My problem is that the server is apparently
          > rejecting mail for <postmaster@...> and likely for <abuse@> also.
          > How can I accept mail for these local users while denying all else?
          >
          > # 2007-11-01 - postconf -n
          > alias_maps = hash:/etc/aliases

          make sure abuse and postmaster is in aliases

          i hope :)

          postmap -q abuse hash:/etc/aliases

          --
        • Benny Pedersen
          ... sed -i -e s:OK:PERMIT_AUTH_DESTINATION:g /etc/postfix/roleaccount i personly just add them to aliases, will work for multiple hosted domains then aswell,
          Message 4 of 7 , Nov 1, 2007
          • 0 Attachment
            On Thu, November 1, 2007 13:01, mouss wrote:
            > reject_unauth_destination
            > check_recipient_access hash:/etc/postfix/roleaccount
            >
            > # cat roleaccount
            > postmaster@... OK
            > abuse@... OK
            > # postmap roleaccount

            sed -i -e s:OK:PERMIT_AUTH_DESTINATION:g /etc/postfix/roleaccount

            i personly just add them to aliases, will work for multiple hosted domains
            then aswell, just in case one forget to add them as virtual_alias

            sendmail -bv postmaster@localhost

            --
          • Andrew Long
            ... I did not think of that... We had problems before we added a PTR with mail being denied for certain destinations. Will removing the MX but leaving the PTR
            Message 5 of 7 , Nov 1, 2007
            • 0 Attachment
              > -----Original Message-----
              > From: owner-postfix-users@...
              > [mailto:owner-postfix-users@...] On Behalf Of mouss
              > Sent: Thursday, November 01, 2007 8:02 AM
              > Cc: postfix-users@...
              > Subject: Re: Accept mail for postmaseter, abuse while denying else
              >
              > Andrew Long wrote:
              > > I now have this server pretty much denying everything
              > except relay for a (relay-ip) list of sites. My problem is that the
              > server is apparently rejecting mail for <postmaster@...>
              > and likely for <abuse@> also.
              > How can I accept mail for these local users while denying all else?
              > >
              > > # 2007-11-01 - postconf -n
              > > alias_maps = hash:/etc/aliases
              > > command_directory = /usr/sbin
              > > config_directory = /etc/postfix
              > > daemon_directory = /usr/libexec/postfix debug_peer_level = 2
              > > html_directory = no local_recipient_maps = mailq_path =
              > > /usr/bin/mailq.postfix manpage_directory = /usr/share/man
              > > mydestination = localhost.localdomain, host.domain.com mynetworks =
              > > 127.0.0.0/8, /etc/postfix/relay-ip newaliases_path =
              > > /usr/bin/newaliases.postfix readme_directory =
              > > /usr/share/doc/postfix-2.2.10/README_FILES
              > > relay_domains =
              > > sample_directory = /usr/share/doc/postfix-2.2.10/samples
              > > sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
              > > smtpd_banner = $myhostname ESMTP $mail_name
              > smtpd_client_restrictions
              > > =
              > > permit_mynetworks,
              > > reject_invalid_hostname,
              > > reject_unknown_sender_domain,
              > > reject_non_fqdn_recipient,
              > > reject_rbl_client bl.spamcop.net,
              > > permit
              > > smtpd_helo_required = yes
              > > smtpd_recipient_restrictions =
              > > reject_non_fqdn_sender,
              > > reject_non_fqdn_recipient,
              > > reject_unknown_recipient_domain,
              > > permit_mynetworks,
              >
              > here add:
              >
              > reject_unauth_destination
              > check_recipient_access hash:/etc/postfix/roleaccount
              >
              > # cat roleaccount
              > postmaster@... OK
              > abuse@... OK
              > # postmap roleaccount
              >
              > the reject_unauth_destination is a safety measure, keep it to avoid
              > accidentally becoming an open relay.
              >
              > > reject
              > >
              >
              > so this server does not accept mail from the public. it should thus
              > not be listed as an MX in DNS.
              >

              I did not think of that...
              We had problems before we added a PTR with mail being denied for certain destinations. Will removing the MX but leaving the PTR work?

              Andrew
            • mouss
              ... that may be a taste question. I prefer reject_unauth_destination before, and not having to use special actions. ... Look again at the end of his
              Message 6 of 7 , Nov 1, 2007
              • 0 Attachment
                Benny Pedersen wrote:
                > On Thu, November 1, 2007 13:01, mouss wrote:
                >> reject_unauth_destination
                >> check_recipient_access hash:/etc/postfix/roleaccount
                >>
                >> # cat roleaccount
                >> postmaster@... OK
                >> abuse@... OK
                >> # postmap roleaccount
                >
                > sed -i -e s:OK:PERMIT_AUTH_DESTINATION:g /etc/postfix/roleaccount

                that may be a taste question. I prefer reject_unauth_destination before,
                and not having to use "special" actions.

                >
                > i personly just add them to aliases,


                Look again at the end of his smtpd_recipient_restrictions. There is a
                reject. This may not be clear in my quoting.

                > will work for multiple hosted domains
                > then aswell, just in case one forget to add them as virtual_alias
                >
                > sendmail -bv postmaster@localhost
                >
              • mouss
                ... if you send me mail claiming to be from foo@host.example.com, but I find out that I cannot send mail to foo@host.example.com, then I will block you,
                Message 7 of 7 , Nov 1, 2007
                • 0 Attachment
                  Andrew Long wrote:
                  >> -----Original Message-----
                  >> From: owner-postfix-users@...
                  >> [mailto:owner-postfix-users@...] On Behalf Of mouss
                  >> Sent: Thursday, November 01, 2007 8:02 AM
                  >> Cc: postfix-users@...
                  >> Subject: Re: Accept mail for postmaseter, abuse while denying else
                  >>
                  >> Andrew Long wrote:
                  >>> I now have this server pretty much denying everything
                  >> except relay for a (relay-ip) list of sites. My problem is that the
                  >> server is apparently rejecting mail for <postmaster@...>
                  >> and likely for <abuse@> also.
                  >> How can I accept mail for these local users while denying all else?
                  >>> # 2007-11-01 - postconf -n
                  >>> alias_maps = hash:/etc/aliases
                  >>> command_directory = /usr/sbin
                  >>> config_directory = /etc/postfix
                  >>> daemon_directory = /usr/libexec/postfix debug_peer_level = 2
                  >>> html_directory = no local_recipient_maps = mailq_path =
                  >>> /usr/bin/mailq.postfix manpage_directory = /usr/share/man
                  >>> mydestination = localhost.localdomain, host.domain.com mynetworks =
                  >>> 127.0.0.0/8, /etc/postfix/relay-ip newaliases_path =
                  >>> /usr/bin/newaliases.postfix readme_directory =
                  >>> /usr/share/doc/postfix-2.2.10/README_FILES
                  >>> relay_domains =
                  >>> sample_directory = /usr/share/doc/postfix-2.2.10/samples
                  >>> sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
                  >>> smtpd_banner = $myhostname ESMTP $mail_name
                  >> smtpd_client_restrictions
                  >>> =
                  >>> permit_mynetworks,
                  >>> reject_invalid_hostname,
                  >>> reject_unknown_sender_domain,
                  >>> reject_non_fqdn_recipient,
                  >>> reject_rbl_client bl.spamcop.net,
                  >>> permit
                  >>> smtpd_helo_required = yes
                  >>> smtpd_recipient_restrictions =
                  >>> reject_non_fqdn_sender,
                  >>> reject_non_fqdn_recipient,
                  >>> reject_unknown_recipient_domain,
                  >>> permit_mynetworks,
                  >> here add:
                  >>
                  >> reject_unauth_destination
                  >> check_recipient_access hash:/etc/postfix/roleaccount
                  >>
                  >> # cat roleaccount
                  >> postmaster@... OK
                  >> abuse@... OK
                  >> # postmap roleaccount
                  >>
                  >> the reject_unauth_destination is a safety measure, keep it to avoid
                  >> accidentally becoming an open relay.
                  >>
                  >>> reject
                  >>>
                  >> so this server does not accept mail from the public. it should thus
                  >> not be listed as an MX in DNS.
                  >>
                  >
                  > I did not think of that...
                  > We had problems before we added a PTR with mail being denied for certain destinations. Will removing the MX but leaving the PTR work?
                  >

                  if you send me mail claiming to be from foo@..., but I find
                  out that I cannot send mail to foo@..., then I will block
                  you, whether you setup an MX or not.

                  if on the other hand you never send mail from *@..., then
                  you don't need to receive mail to such addresses, and as a result you
                  don't need an MX.
                Your message has been successfully submitted and would be delivered to recipients shortly.