NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2004-03

SMTP Proxy and smtpd_recipient_restrictions/permit_mynetworks

From: Alan Munday (postfixbrightheadtechnology.com)
Date: Thu Mar 11 2004 - 06:06:29 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some while ago I used Jim's anti UCE reference
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt for my site.

Since then I have used the following:

smtpd_recipient_restrictions =
        reject_invalid_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        check_recipient_access hash:/etc/postfix/filtered_domains
        permit_mynetworks
        reject_non_fqdn_hostname
        reject_unauth_destination
        check_helo_access hash:/etc/postfix/helo_checks
        check_recipient_access pcre:/etc/postfix/recipient_checks.pcre

Which works well enough.

I was browsing the notify mail yesterday when I noticed that a number of
mails were not hitting the helo_checks when I expected them to. So I tried
moving a few things around, knowing order is important I tried not to be too
radical:

smtpd_recipient_restrictions =
        reject_invalid_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        permit_mynetworks
        check_helo_access hash:/etc/postfix/helo_checks
        check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
        check_recipient_access hash:/etc/postfix/filtered_domains
        reject_non_fqdn_hostname
        reject_unauth_destination

This promptly stopped any mail being sent to spamassassin/anomy.

So now I can see that what I had not accounted for was that all my SMTP
traffic comes in via a proxy which always presents as a mynetworks address
and passes the permit_mynetowrks.

As I'm not in a position to try things out until after business hours I
thought I would ask those who know first...

Given this is the case can I just move permit_mynetworks to the bottom of
this list?

Are there other accepted ways of configuring main.cf when using an SMTP
proxy? If so do you have any recommendations?

Thanks

Alan

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]