On Wed, 29 May 2002, Timo Boettcher wrote:

>Hi luna,
>Message of Wednesday, 29. May 2002, 15:09:16:
>
>>And, most: Are there any security-holes not plugged?
>no - you may see too much valid mail being rejected due to
>reject_unknown_client.
>If I cut that out, will I be "secure", that is, no open-relay, than?

yes. reject_unauth_destination is the only line necessary to prevent
relaying (Assuming the referenced parameters are appropriately configured).
the rest do help. but really have more to do with preventing spam, and
upholding the smtp "law", so-to-speak.

>
>l> you can consolidate your restrictions into smtpd_recipient_restrictions.
>l> i would recommend:
>
>l> smtpd_recipient_restrictions =
>l> reject_non_fqdn_sender,
>l> reject_unknown_sender_domain,
>l> reject_non_fqdn_recipient
>l> reject_unknown_recipient_domain,
>l> permit_mynetworks,
>l> check_client_access hash:/etc/postfix/pop-before-smtp,
>l> reject_unknown_client, <-- this might cause problems for you
>l> reject_invalid_hostname,
>l> reject_non_fqdn_hostname,
>l> reject_unknown_hostname,
>l> reject_maps_rbl,
>l> reject_unauth_destination
>
>You mean no other smtpd_*_restrictions except the above?

right. if you are using smtpd_delay_reject = yes, then this is even more
approriate, as no restrictions are processed until RCPT TO is issued
anyway.

>I heard that even the config options are planned to be consolidated...

hth
-ben

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]