Loading ...
Sorry, an error occurred while loading the content.

safe setup of smtpd_relay_restrictions and smtpd_recipient_restrictions

Expand Messages
  • Matthew Hall
    Hello, I am trying to update my configuration in light of the new smtpd_relay_restrictions in Postfix 2.10. I did read some threads and documentation, but I am
    Message 1 of 5 , Mar 19, 2013
    View Source
    • 0 Attachment
      Hello,

      I am trying to update my configuration in light of the new smtpd_relay_restrictions in Postfix 2.10. I did read some threads and documentation, but I am a bit confused about which reject_* should be in each rulechain.

      I am hoping someone could quickly check my work, and let me know if I'm committing any grave or mortal Postfix and SMTP sins, if I deploy the configuration below.

      Thanks,
      Matthew.

      smtpd_relay_restrictions =
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_unauth_destination

      smtpd_recipient_restrictions =
          reject_invalid_hostname,
          reject_non_fqdn_hostname,
          reject_non_fqdn_sender,
          reject_non_fqdn_recipient,
          reject_unknown_sender_domain,
          reject_unknown_recipient_domain,
          reject_unauth_destination,
          check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
          check_helo_access hash:/etc/postfix/helo_checks,
          check_sender_access hash:/etc/postfix/sender_checks,
          check_client_access hash:/etc/postfix/client_checks,
          check_client_access pcre:/etc/postfix/client_checks.pcre,
          reject_rbl_client zen.spamhaus.org,
      #    reject_rbl_client cbl.abuseat.org,
      #    reject_rbl_client list.dsbl.org,
      #    reject_rbl_client sbl.spamhaus.org,
      #    reject_rbl_client pbl.spamhaus.org
          permit

    • Viktor Dukhovni
      ... Perfect. ... Fine, but you often don t want reject_unknown_recipient_domain in any restrictions. It is not needed for inbound MX hosts, and interacts
      Message 2 of 5 , Mar 19, 2013
      View Source
      • 0 Attachment
        On Tue, Mar 19, 2013 at 03:25:01PM -0700, Matthew Hall wrote:

        > smtpd_relay_restrictions =
        > permit_sasl_authenticated,
        > permit_mynetworks,
        > reject_unauth_destination

        Perfect.

        > smtpd_recipient_restrictions =
        > reject_invalid_hostname,
        > reject_non_fqdn_hostname,
        > reject_non_fqdn_sender,
        > reject_non_fqdn_recipient,
        > reject_unknown_sender_domain,
        > reject_unknown_recipient_domain,

        Fine, but you often don't want reject_unknown_recipient_domain in
        any restrictions. It is not needed for inbound MX hosts, and
        interacts poorly with MUA clients on outbound MSAs. It is only
        useful on outbound relays that receive mail from from other MTAs.

        > reject_unauth_destination,

        Already covered in the relay rules, no need to repeat it here.

        > check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
        > check_helo_access hash:/etc/postfix/helo_checks,
        > check_sender_access hash:/etc/postfix/sender_checks,
        > check_client_access hash:/etc/postfix/client_checks,
        > check_client_access pcre:/etc/postfix/client_checks.pcre,
        > reject_rbl_client zen.spamhaus.org,
        > permit

        Fine.

        --
        Viktor.
      • Matthew Hall
        Hi Viktor, On Tue, Mar 19, 2013 at 3:37 PM, Viktor Dukhovni ... Corrected. ... Corrected. ... It seems like I keep seeing you on every crypto and security
        Message 3 of 5 , Mar 19, 2013
        View Source
        • 0 Attachment
          Hi Viktor,

          On Tue, Mar 19, 2013 at 3:37 PM, Viktor Dukhovni
          <postfix-users@...> wrote:
          > Fine, but you often don't want reject_unknown_recipient_domain in
          > any restrictions. It is not needed for inbound MX hosts, and
          > interacts poorly with MUA clients on outbound MSAs. It is only
          > useful on outbound relays that receive mail from from other MTAs.

          Corrected.

          > Already covered in the relay rules, no need to repeat it here.

          Corrected.

          > Viktor.

          It seems like I keep seeing you on every crypto and security list!
          Thanks for being there and assisting people so often.

          Regards,
          Matthew.
        • Steve Jenkins
          ... Based on the feedback from Viktor, I ve made some similar changes in my 2.10 config. It s close to Matthew s, but different enough that I d appreciate a
          Message 4 of 5 , Mar 19, 2013
          View Source
          • 0 Attachment
            On Tue, Mar 19, 2013 at 4:30 PM, Matthew Hall <mhcomputing@...> wrote:
            It seems like I keep seeing you on every crypto and security list!
            Thanks for being there and assisting people so often.

             Based on the feedback from Viktor, I've made some similar changes in my 2.10 config. It's close to Matthew's, but different enough that I'd appreciate a quick sanity check:

            # SMTPD Restrictions
            smtpd_helo_required = yes
            disable_vrfy_command = yes
            smtpd_recipient_restrictions =
                    reject_invalid_hostname,
                    warn_if_reject reject_non_fqdn_hostname,
                    warn_if_reject reject_non_fqdn_sender,
                    reject_non_fqdn_recipient,
                    reject_unknown_sender_domain,
                    warn_if_reject reject_unknown_reverse_client_hostname,
                    warn_if_reject reject_non_fqdn_helo_hostname,
                    warn_if_reject reject_invalid_helo_hostname,
                    warn_if_reject reject_unknown_helo_hostname,
                    reject_unauth_pipelining,
                    check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
                    check_helo_access hash:/etc/postfix/helo_access,
                    check_sender_access hash:/etc/postfix/check_backscatterer,
                    check_sender_access hash:/etc/postfix/access,
                    reject_rbl_client b.barracudacentral.org,
                    reject_rbl_client zen.spamhaus.org,
                    reject_rbl_client bl.spamcop.net,
                    reject_rbl_client psbl.surriel.com,
                    reject_rhsbl_client dbl.spamhaus.org,
                    reject_rhsbl_sender dbl.spamhaus.org,
                    reject_rhsbl_helo dbl.spamhaus.org,
                    permit

            smtpd_relay_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination

            Thx,

            SteveJ
          • Noel Jones
            ... I don t notice any permit_mynetworks or permit_sasl_authenticated above. If users submit mail here, you probably want those permit_* rules near the top of
            Message 5 of 5 , Mar 19, 2013
            View Source
            • 0 Attachment
              On 3/19/2013 7:11 PM, Steve Jenkins wrote:
              > On Tue, Mar 19, 2013 at 4:30 PM, Matthew Hall <mhcomputing@...
              > <mailto:mhcomputing@...>> wrote:
              >
              > It seems like I keep seeing you on every crypto and security list!
              > Thanks for being there and assisting people so often.
              >
              >
              > Based on the feedback from Viktor, I've made some similar changes
              > in my 2.10 config. It's close to Matthew's, but different enough
              > that I'd appreciate a quick sanity check:
              >
              > # SMTPD Restrictions
              > smtpd_helo_required = yes
              > disable_vrfy_command = yes
              > smtpd_recipient_restrictions =
              > reject_invalid_hostname,
              > warn_if_reject reject_non_fqdn_hostname,
              > warn_if_reject reject_non_fqdn_sender,
              > reject_non_fqdn_recipient,
              > reject_unknown_sender_domain,
              > warn_if_reject reject_unknown_reverse_client_hostname,
              > warn_if_reject reject_non_fqdn_helo_hostname,
              > warn_if_reject reject_invalid_helo_hostname,
              > warn_if_reject reject_unknown_helo_hostname,
              > reject_unauth_pipelining,
              > check_reverse_client_hostname_access
              > pcre:/etc/postfix/fqrdns.pcre,
              > check_helo_access hash:/etc/postfix/helo_access,
              > check_sender_access hash:/etc/postfix/check_backscatterer,
              > check_sender_access hash:/etc/postfix/access,
              > reject_rbl_client b.barracudacentral.org
              > <http://b.barracudacentral.org>,
              > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
              > reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>,
              > reject_rbl_client psbl.surriel.com <http://psbl.surriel.com>,
              > reject_rhsbl_client dbl.spamhaus.org <http://dbl.spamhaus.org>,
              > reject_rhsbl_sender dbl.spamhaus.org <http://dbl.spamhaus.org>,
              > reject_rhsbl_helo dbl.spamhaus.org <http://dbl.spamhaus.org>,
              > permit

              I don't notice any permit_mynetworks or permit_sasl_authenticated
              above. If users submit mail here, you probably want those permit_*
              rules near the top of the list.

              >
              > smtpd_relay_restrictions =
              > permit_mynetworks,
              > permit_sasl_authenticated,
              > reject_unauth_destination

              Perfect. The new smtpd_relay_restrictions is intended for relay
              control only, not to be polluted with anti-UCE controls.




              -- Noel Jones
            Your message has been successfully submitted and would be delivered to recipients shortly.