OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ralf Hildebrandt (news-list.postfix.usersinnominate.de)
Date: Mon Apr 02 2001 - 10:27:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 2 Apr 2001 16:24:32 +0200, Jack Sasportas <jackinnovativeinternet.com> wrote:

    >smtpd_client_restrictions =
    > permit_mynetworks
    > hash:/etc/postfix/access
    > reject_maps_rbl
    ># reject_unknown_client

    smtpd_client_restrictions =
       permit_mynetworks
       check_client_access hash:/etc/postfix/client_access
       reject_maps_rbl
       
    >smtpd_sender_restrictions =
    > hash:/etc/postfix/access
    ># reject_unknown_sender_domain
    ># hash:/etc/postfix/sender

    smtpd_sender_restrictions =
       check_sender_access hash:/etc/postfix/sender_access
    # nothing else here? Huh? No reject? no permit??

    ># smtpd_recipient_restrictions = RCPT TO checks - (can be based on
    >Sender)
    >smtpd_recipient_restrictions =
    > permit_mynetworks
    > hash:/etc/postfix/access
    > check_sender_access hash:/etc/postfix/senders
    > reject_non_fqdn_recipient
    > check_relay_domains
    ># check_client_access hash:/etc/postfix/pop-before-smtp

    smtpd_recipient_restrictions =
       check_recipient_access hash:/etc/postfix/recipient_access
       check_sender_access hash:/etc/postfix/senders
       # another check_sender_access ?? Why?
       reject_non_fqdn_recipient
       check_relay_domains
     

    I bet you'll never get the thing working like you intend to.
    I propose this:

    smtpd_client_restrictions =
    smtpd_helo_restrictions =
    smtpd_sender_restrictions =
    # Yes, empty!
    # All restrictions are put into recipient:
    smtpd_recipient_restrictions =
       permit_mynetworks,
       reject_unauth_destination,
       check_recipient_access hash:/etc/postfix/recipient_checks,
       check_sender_access hash:/etc/postfix/sender_checks,
       check_client_access hash:/etc/postfix/client_checks,
       reject_unauth_pipelining,
       reject_invalid_hostname,
       reject_non_fqdn_hostname,
       reject_non_fqdn_sender,
       reject_non_fqdn_recipient,
       reject_unknown_sender_domain,
       reject_unknown_recipient_domain,
       reject_maps_rbl,
       reject_unknown_client,
       permit

    What is the idea behind this?

    At the smtpd_recipient stage EVERYTHING is know, sender, recipient, helo and
    the client.
    First, we allow mynetworks. Then we check for relaying
    (reject_unauth_destination). After that we can explicitly allow or disallow
    based on sender, recipient or client. If no explicit rules are given, we do
    all the nasty stuff (reject_*). If a maill passes ALL restrictions, we
    "pewrmit".

    If you want POP-before-SMTP, start this using:

    smtpd_recipient_restrictions =
       permit_mynetworks,
       check_client_access hash:/etc/postfix/pop-before-smtp,
       reject_unauth_destination
       .
       .
       . 

    -- 
ralf.hildebrandtinnominate.com                            innominate AG
System Engineer                        Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX  fax: +49.(0)30.308806-698         

    -
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users