Loading ...
Sorry, an error occurred while loading the content.
 

Re: Whitelisting from reverse DNS checks

Expand Messages
  • Noel Jones
    ... some comments below... ... An empty local_recipient_maps will cause your postfix to accept mail for undeliverable local address, then attempt to bounce
    Message 1 of 7 , Jul 22, 2013
      On 7/22/2013 10:21 AM, L.W. van Braam van Vloten wrote:
      > Hello list,
      >
      > Thanks for the info, in a different thread I also saw a reference to
      > http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html
      > and it helped me to modify my config. In addition I upgraded to
      > Postfix 2.9.3 because I want to start using permit_dnswl_client as
      > well.
      >
      > It seems to work as expected, but I have the uncomfortable feeling
      > that I still missed something crucial...
      >
      >>
      >> Please show your "postconf -n" output for further help.
      >>
      >
      > Are there any bad mistakes in the following config, in particular
      > regarding smtpd_recipient_restrictions and releated settings?

      some comments below...


      >
      > Thank you for your help,
      > Lucas
      >
      > # postconf -nf
      >
      > alias_database = $alias_maps
      > alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
      > append_dot_mydomain = no
      > biff = no
      > config_directory = /etc/postfix
      > content_filter = amavis:[127.0.0.1]:10024
      > delay_warning_time = 4h
      > disable_vrfy_command = yes
      > inet_interfaces = all
      > local_recipient_maps =

      An empty local_recipient_maps will cause your postfix to accept mail
      for undeliverable local address, then attempt to bounce them. This
      will clog your queue with undeliverable bounces and get you blacklisted.


      > mailbox_command = procmail -a "$EXTENSION"
      > mailbox_size_limit = 0

      A size limit of 0 is unwise. Far better to set an absurdly large
      limit than no limit at all.

      > maximal_backoff_time = 4000s
      > maximal_queue_lifetime = 7d
      > milter_default_action = accept
      > milter_protocol = 2
      > minimal_backoff_time = 300s
      > mydestination = list.ecompass.nl
      > myhostname = mail.ecompass.nl
      > mynetworks_style = host
      > myorigin = /etc/mailname
      > non_smtpd_milters = inet:localhost:8891
      > readme_directory = no
      > recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
      > recipient_delimiter = *
      > relay_domains =
      > smtp_helo_timeout = 60s
      > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      > smtpd_banner = $myhostname ESMTP $mail_name
      > smtpd_client_restrictions = check_client_access
      > cidr:/etc/postfix/client-access

      typically you would begin this with permit_mynetworks,
      permit_sasl_authenticated so you don't reject authorized mail.

      > smtpd_data_restrictions = reject_unauth_pipelining
      > smtpd_delay_reject = yes
      > smtpd_hard_error_limit = 12
      > smtpd_helo_required = yes
      > smtpd_helo_restrictions = permit_mynetworks,

      Probably want permit_sasl_authenticated here.


      > reject_non_fqdn_helo_hostname,
      > reject_invalid_helo_hostname, permit

      The final "permit" is unnecessary, but won't break anything. This
      is true for all the smtpd_*_restrictions sections.

      > smtpd_milters = inet:localhost:8891
      > smtpd_recipient_limit = 16

      This limits each SMTP transaction to no more than 16 RCPT TO
      commands per session. The sender is then free to connect again with
      more recipients. Setting this parameter to a low value can actually
      increase the load on your server, and does little or nothing to
      thwart unwanted mail.


      > smtpd_recipient_restrictions = permit_mynetworks,
      > permit_sasl_authenticated,
      > reject_unauth_destination, reject_unauth_pipelining,
      > reject_non_fqdn_sender,

      Good.

      > reject_non_fqdn_recipient, reject_unknown_recipient_domain,

      Putting reject_unknown_recipient_domain after
      reject_unauth_destination can only reject your own domain.

      The intended use is before "permit_mynetworks,
      permit_sasl_authenticated" to prevent your own users from sending
      mail to mistyped destinations.


      > reject_unknown_sender_domain, check_policy_service
      > inet:127.0.0.1:10023,
      > check_recipient_access hash:/etc/postfix/recipient-access,
      > check_sender_access hash:/etc/postfix/sender-access,
      > check_client_access
      > cidr:/etc/postfix/client-whitelist,

      Typically the whitelist would be before any of the rules that might
      reject mail, such as the check_*_access and the reject_* rules.


      > permit_dnswl_client
      > list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
      > zen.spamhaus.org,
      > reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
      > bl.spamcop.net, permit
      > smtpd_sender_restrictions = permit_mynetworks,


      missing permit_sasl_authenticated here.

      > warn_if_reject
      > reject_non_fqdn_sender, permit
      > smtpd_soft_error_limit = 3
      > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      > smtpd_use_tls = yes
      > unknown_local_recipient_reject_code = 550
      > virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
      > virtual_gid_maps = static:5000
      > virtual_mailbox_base = /var/spool/mail/virtual
      > virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
      > virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
      > virtual_uid_maps = static:5000
      >
      >



      -- Noel Jones
    • L.W. van Braam van Vloten
      Hi, Thanks for your clear reply, that really helps! One last question: How should I configure local_recipient_maps? ... I am running a mailing list server
      Message 2 of 7 , Jul 22, 2013

        Hi,

        Thanks for your clear reply, that really helps!

        One last question: How should I configure local_recipient_maps?

        Noel said:

        local_recipient_maps =
        An empty local_recipient_maps will cause your postfix to accept mail
        for undeliverable local address, then attempt to bounce them.  This
        will clog your queue with undeliverable bounces and get you blacklisted.
        I am running a mailing list server Listserv for which all available addresses are defined in /etc/aliases
        And also a mailman server using /var/lib/mailman/data/aliases
        I also use a limited number of virtual mailboxes, using a mysql databases containing a table for mailboxes and a table for aliases, and local maildir storage
        I don't want to deliver mail to local system accounts

        So I thought I had to use the following:
        local_recipient_maps = $alias_maps $virtual_mailbox_maps $virtual_alias_maps
        Which works

        But if I use 
        local_recipient_maps = $alias_maps
        then mail to the virtual mailboxes is still delivered...

        In addition, if I use
        local_recipient_maps = 
        then the server will not accept mail for non-existing adresses, which seems to contradict Noel's warning:
             550 5.1.1 <nonexisting@...>: Recipient address rejected: User unknown in local recipient table

        So I don't really understand how this setting works...

        Thanks!
        Lucas

        My latest config:
        # postconf -nf
        alias_database = $alias_maps
        alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
        append_dot_mydomain = no
        biff = no
        config_directory = /etc/postfix
        content_filter = amavis:[127.0.0.1]:10024
        delay_warning_time = 4h
        disable_vrfy_command = yes
        inet_interfaces = all
        mailbox_command = procmail -a "$EXTENSION"
        mailbox_size_limit = 107374182400
        maximal_backoff_time = 4000s
        maximal_queue_lifetime = 7d
        milter_default_action = accept
        milter_protocol = 2
        minimal_backoff_time = 300s
        mydestination = list.ecompass.nl
        myhostname = mail.ecompass.nl
        mynetworks_style = host
        myorigin = /etc/mailname
        non_smtpd_milters = inet:localhost:8891
        readme_directory = no
        recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
        recipient_delimiter = *
        relay_domains =
        smtp_helo_timeout = 60s
        smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
        smtpd_banner = $myhostname ESMTP $mail_name
        smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated,
            check_client_access cidr:/etc/postfix/client-access
        smtpd_data_restrictions = reject_unauth_pipelining
        smtpd_delay_reject = yes
        smtpd_hard_error_limit = 12
        smtpd_helo_required = yes
        smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
            reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
        smtpd_milters = inet:localhost:8891
        smtpd_recipient_restrictions = reject_unknown_recipient_domain,
            permit_mynetworks, permit_sasl_authenticated, check_client_access
            cidr:/etc/postfix/client-whitelist, permit_dnswl_client
            list.dnswl.org=127.0.[0..255].[1..3], check_sender_access
            hash:/etc/postfix/sender-access, check_recipient_access
            hash:/etc/postfix/recipient-access, reject_unauth_destination,
            reject_unauth_pipelining, reject_non_fqdn_sender, reject_non_fqdn_recipient,
            reject_unknown_sender_domain, check_policy_service inet:127.0.0.1:10023,
            reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client bl.spamcop.net, permit
        smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
            warn_if_reject reject_non_fqdn_sender, permit
        smtpd_soft_error_limit = 3
        smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
        smtpd_use_tls = yes
        unknown_local_recipient_reject_code = 550
        virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
        virtual_gid_maps = static:5000
        virtual_mailbox_base = /var/spool/mail/virtual
        virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
        virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
        virtual_uid_maps = static:5000
         
      • Noel Jones
        ... The default setting of local_recipient_maps = proxy:unix:passwd.byname $alias_maps should be appropriate for the vast majority of sites. Note that local
        Message 3 of 7 , Jul 22, 2013
          On 7/22/2013 4:27 PM, L.W. van Braam van Vloten wrote:
          > Hi,
          >
          > Thanks for your clear reply, that really helps!
          >
          > One last question: How should I configure local_recipient_maps?


          The default setting of
          local_recipient_maps = proxy:unix:passwd.byname $alias_maps
          should be appropriate for the vast majority of sites.

          Note that "local recipients" means domains listed in mydestination,
          not virtual alias or virtual mailbox domains.


          -- Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.