Loading ...
Sorry, an error occurred while loading the content.

Re: smtpd_restrictions sanity check

Expand Messages
  • Ralf Hildebrandt
    ... That s deprecated, for years. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin
    Message 1 of 6 , Nov 1, 2009
    • 0 Attachment
      * Alex <mysqlstudent@...>:

      > reject_maps_rbl,

      That's deprecated, for years.

      --
      Ralf Hildebrandt
      Geschäftsbereich IT | Abteilung Netzwerk
      Charité - Universitätsmedizin Berlin
      Campus Benjamin Franklin
      Hindenburgdamm 30 | D-12203 Berlin
      Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
      ralf.hildebrandt@... | http://www.charite.de
    • mouss
      ... smtpd_recipient_restrictions = reject_non_fqdn_sender reject_non_fqdn_recipient permit_mynetworks #permit_sasl_authenticated reject_unauth_destination #
      Message 2 of 6 , Nov 1, 2009
      • 0 Attachment
        Alex a écrit :
        > Hi all,
        >
        > Hopefully I don't have the most frequently asked question, but I'm
        > spinning my wheels and perhaps followed some bad advice. I hoped
        > someone could look over my recipient restrictions to see if I'm making
        > some kind of mistake:
        >
        > smtpd_recipient_restrictions =
        > reject_invalid_hostname,
        > reject_non_fqdn_hostname,
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,
        > reject_unauth_pipelining,
        > check_client_access hash:/etc/postfix/client_checks,
        > check_recipient_access pcre:/etc/postfix/relay_recips_checks,
        > check_helo_access hash:/etc/postfix/helo_checks,
        > check_sender_access hash:/etc/postfix/sender_checks,
        > check_sender_access hash:/etc/postfix/disallow_my_domain,
        > permit_mynetworks,
        > check_recipient_access pcre:/etc/postfix/recipient_checks,
        > reject_unauth_destination,
        > reject_maps_rbl,
        > permit
        >


        smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        permit_mynetworks
        #permit_sasl_authenticated
        reject_unauth_destination
        #
        reject_invalid_hostname
        reject_non_fqdn_hostname
        reject_unknown_sender_domain
        #
        check_client_access hash:/etc/postfix/client_checks
        check_recipient_access pcre:/etc/postfix/relay_recips_checks
        check_helo_access hash:/etc/postfix/helo_checks
        check_sender_access hash:/etc/postfix/sender_checks
        check_sender_access hash:/etc/postfix/disallow_my_domain
        check_recipient_access pcre:/etc/postfix/recipient_checks
        #
        reject_rbl_client zen.spamhaus.org



        > I originally had permit_mynetworks further up, but it seems
        > client_checks was then being ignored, despite the client not being on
        > my network.
        >
        > I'm now trying to provide a mail server that is not part of my
        > networks to my network.
        >
        > I also have a handful of cron scripts that run on this remote network
        > that send mail to my network, but with internal hostnames that aren't
        > resolvable once they reach my network. Do I just add them to my
        > postfix hosts file or is there a way to avoid checking the hostname
        > (sender access?) so they aren't rejected with "Sender address
        > rejected: Domain not found"?
        >
        > Thanks,
        > Alex
      • Alex
        Hi, ... How about pop-before-smtp? Would I add the check_client_access immediately after permit_mynetworks above? Will this configuration above prevent DSL or
        Message 3 of 6 , Nov 1, 2009
        • 0 Attachment
          Hi,

          > smtpd_recipient_restrictions =
          >        reject_non_fqdn_sender
          >        reject_non_fqdn_recipient
          >        permit_mynetworks
          >        #permit_sasl_authenticated
          >        reject_unauth_destination
          >        #
          >        reject_invalid_hostname
          >        reject_non_fqdn_hostname
          >        reject_unknown_sender_domain
          >        #
          >        check_client_access hash:/etc/postfix/client_checks
          >        check_recipient_access pcre:/etc/postfix/relay_recips_checks
          >        check_helo_access hash:/etc/postfix/helo_checks
          >        check_sender_access hash:/etc/postfix/sender_checks
          >        check_sender_access hash:/etc/postfix/disallow_my_domain
          >        check_recipient_access pcre:/etc/postfix/recipient_checks
          >        #
          >        reject_rbl_client zen.spamhaus.org

          How about pop-before-smtp? Would I add the check_client_access
          immediately after permit_mynetworks above?

          Will this configuration above prevent DSL or cable users without
          reverse, only forward DNS from being accepted? I keep receiving the
          following:

          Nov 1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
          hostname host6714200122235.direcway.com verification failed: Host not
          found

          The IP is in the popb4smtp db, but they still receive a relaying denied message:

          Nov 1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
          unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
          from=<joe3135@...> to=<John@...>

          Thanks so much.
          Best regards,
          Alex
        • mouss
          ... yes. but it is worth investing your time to implement SASL instead. if you use pop before smtp, use a dedicated file and use it before
          Message 4 of 6 , Nov 1, 2009
          • 0 Attachment
            Alex a écrit :
            > Hi,
            >
            >> smtpd_recipient_restrictions =
            >> reject_non_fqdn_sender
            >> reject_non_fqdn_recipient
            >> permit_mynetworks
            >> #permit_sasl_authenticated
            >> reject_unauth_destination
            >> #
            >> reject_invalid_hostname
            >> reject_non_fqdn_hostname
            >> reject_unknown_sender_domain
            >> #
            >> check_client_access hash:/etc/postfix/client_checks
            >> check_recipient_access pcre:/etc/postfix/relay_recips_checks
            >> check_helo_access hash:/etc/postfix/helo_checks
            >> check_sender_access hash:/etc/postfix/sender_checks
            >> check_sender_access hash:/etc/postfix/disallow_my_domain
            >> check_recipient_access pcre:/etc/postfix/recipient_checks
            >> #
            >> reject_rbl_client zen.spamhaus.org
            >
            > How about pop-before-smtp? Would I add the check_client_access
            > immediately after permit_mynetworks above?
            >

            yes. but it is worth investing your time to implement SASL instead.

            if you use pop before smtp, use a dedicated file and use it before
            reject_unauth_destination (so that they can relay).

            > Will this configuration above prevent DSL or cable users without
            > reverse, only forward DNS from being accepted? I keep receiving the
            > following:
            >
            > Nov 1 15:34:42 smtp01 postfix/smtpd[28620]: warning: 67.142.235.122:
            > hostname host6714200122235.direcway.com verification failed: Host not
            > found
            >

            this is only informational.

            > The IP is in the popb4smtp db, but they still receive a relaying denied message:
            >
            > Nov 1 14:32:44 smtp01 postfix/smtpd[23790]: reject: RCPT from
            > unknown[67.142.235.122]: 554 <John@...>: Relay access denied;
            > from=<joe3135@...> to=<John@...>
            >

            make sure the pop4smtp check comes before reject_unauth_destination. if
            this is the case and you still see "Relay access denied", check that
            the IP of the client is in the map at the time of the check. and of
            course, the map should return OK for the IP.
          Your message has been successfully submitted and would be delivered to recipients shortly.