Loading ...
Sorry, an error occurred while loading the content.

Re: safe setup of smtpd_relay_restrictions and smtpd_recipient_restrictions

Expand Messages
  • Noel Jones
    ... I don t notice any permit_mynetworks or permit_sasl_authenticated above. If users submit mail here, you probably want those permit_* rules near the top of
    Message 1 of 5 , Mar 19, 2013
    • 0 Attachment
      On 3/19/2013 7:11 PM, Steve Jenkins wrote:
      > On Tue, Mar 19, 2013 at 4:30 PM, Matthew Hall <mhcomputing@...
      > <mailto:mhcomputing@...>> wrote:
      >
      > It seems like I keep seeing you on every crypto and security list!
      > Thanks for being there and assisting people so often.
      >
      >
      > Based on the feedback from Viktor, I've made some similar changes
      > in my 2.10 config. It's close to Matthew's, but different enough
      > that I'd appreciate a quick sanity check:
      >
      > # SMTPD Restrictions
      > smtpd_helo_required = yes
      > disable_vrfy_command = yes
      > smtpd_recipient_restrictions =
      > reject_invalid_hostname,
      > warn_if_reject reject_non_fqdn_hostname,
      > warn_if_reject reject_non_fqdn_sender,
      > reject_non_fqdn_recipient,
      > reject_unknown_sender_domain,
      > warn_if_reject reject_unknown_reverse_client_hostname,
      > warn_if_reject reject_non_fqdn_helo_hostname,
      > warn_if_reject reject_invalid_helo_hostname,
      > warn_if_reject reject_unknown_helo_hostname,
      > reject_unauth_pipelining,
      > check_reverse_client_hostname_access
      > pcre:/etc/postfix/fqrdns.pcre,
      > check_helo_access hash:/etc/postfix/helo_access,
      > check_sender_access hash:/etc/postfix/check_backscatterer,
      > check_sender_access hash:/etc/postfix/access,
      > reject_rbl_client b.barracudacentral.org
      > <http://b.barracudacentral.org>,
      > reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
      > reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>,
      > reject_rbl_client psbl.surriel.com <http://psbl.surriel.com>,
      > reject_rhsbl_client dbl.spamhaus.org <http://dbl.spamhaus.org>,
      > reject_rhsbl_sender dbl.spamhaus.org <http://dbl.spamhaus.org>,
      > reject_rhsbl_helo dbl.spamhaus.org <http://dbl.spamhaus.org>,
      > permit

      I don't notice any permit_mynetworks or permit_sasl_authenticated
      above. If users submit mail here, you probably want those permit_*
      rules near the top of the list.

      >
      > smtpd_relay_restrictions =
      > permit_mynetworks,
      > permit_sasl_authenticated,
      > reject_unauth_destination

      Perfect. The new smtpd_relay_restrictions is intended for relay
      control only, not to be polluted with anti-UCE controls.




      -- Noel Jones
    Your message has been successfully submitted and would be delivered to recipients shortly.