OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: luna (lunadipswitch.net)
Date: Wed May 29 2002 - 08:09:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Wed, 29 May 2002, Timo Boettcher wrote:

    >Hi list,
    >
    >I'm new to this list and to postfix. So please even if I'm wrong here
    >and asking idiotic questions, help me.
    >
    >I want to build a mail server which should:
    >- relay any mail put in by the webmail-ui (I want to use horde/IMP).
    >- get/store any mail which is for me and any of my users (I want to
    > use courier Imap for this)
    >- relay any mail put in by me and my users from dialup accounts (I
    > wanted to use pop-before-smtp)
    >
    >The users are in an LDAP-Directory.
    >I do NOT want to have an open relay (I hate spam, and I get bandwith
    >at a local ISP out of friendlyness, so if I missbehave, I get kicked)
    >
    >I have read the book "postfix" by Richard Blum in Sams,
    >http://www.mengwong.com/misc/postfix-uce-guide.txt
    >http://www.postfix.org/uce.html
    >http://www.muine.org/~hoang/postrouter.html
    >http://www.afp548.com/Articles/mail/spam2.html
    >...
    >
    >
    >
    >#============= Begin paste main.cf =============
    >mydomain = myserver.net
    >myhostname = www.$mydomain
    >myorigin = $mydomain
    >mydestination = $myhostname, localhost.$mydomain, $mydomain
    >mynetworks_style = host
    >mynetworks = 127.0.0.0/8
    >relay_domains = $mydestination
    >smtpd_sender_restrictions = permit_mynetworks,
    > reject_unknown_sender_domain,
    > reject_non_fqdn_hostname,
    > reject_invalid_hostname,
    > reject_unknown_hostname,
    > reject_maps_rbl
    >
    >smtpd_recipient_restrictions = permit_mynetworks,
    > check_client_access hash:/etc/postfix/pop-before-smtp,
    > reject_maps_rbl,
    > reject_unknown_client,
    > reject_invalid_hostname,
    > reject_unknown_hostname,
    > reject_unknown_sender_domain,
    > reject_unauth_destination,
    > reject_unknown_recipient_domain,
    > reject_non_fqdn_hostname,
    > reject_non_fqdn_sender,
    > reject_non_fqdn_recipient
    >
    >#============== End paste main.cf ==============
    >
    >
    >My Questions:
    >Will I be able to send mail via dialup?
    yes - assuming /etc/postfix/pop-before-smtp is being written to correctly
    >Will I be able to send mail via webmail from localhost?
    yes
    >Will I be able to receive mail?
    yes
    >And, most: Are there any security-holes not plugged?
    no - you may see too much valid mail being rejected due to
    reject_unknown_client.

    you can consolidate your restrictions into smtpd_recipient_restrictions.
    i would recommend:

    smtpd_recipient_restrictions =
            reject_non_fqdn_sender,
            reject_unknown_sender_domain,
            reject_non_fqdn_recipient
            reject_unknown_recipient_domain,
            permit_mynetworks,
            check_client_access hash:/etc/postfix/pop-before-smtp,
            reject_unknown_client, <-- this might cause problems for you
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_unknown_hostname,
            reject_maps_rbl,
            reject_unauth_destination

    -ben

    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users