OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: My server is an open relay

From: Patrick Ben Koetter (pstate-of-mind.de)
Date: Tue May 03 2005 - 03:47:34 CDT

* Jaskula Thomas <thomas.jaskulabci-info.com>:
> >> smtpd_delay_reject = no
> Why?

A looong story...
short version: some clients won't accept a NO until after the RCPT TO stage.
If you set smtpd_delay_reject = no Postfix will evaluate the restriction that
corresponds to the SMTP stage right after the command was given. It might kick
out the client, but the client would come back over and over again, because it
doesn't accept a REJECT until after the RCPT TO stage.

So for sake of sanity leave the default which is:

smtpd_delay_reject = yes

> I saw it in the tutorial

Hmmm, you don't build a nuclear bomb, just because it is described in a
tutorial, do you? ;)

prick

>
> >> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, >>
> reject_unknown_hostname, reject_non_fqdn_hostname, reject_maps_rbl
>
> >> smtpd_recipient_restrictions = permit_mynetworks,
> >> reject_unauth_destination, check_recipient_access
> >> $virtual_mailbox_maps, reject_non_fqdn_recipient, check_relay_domains
>
> > check_recipient_access $virtual_mailbox_maps is not needed,
> > check_relay_domains serves no purpose and is deprecated.
>
> >> smtpd_sender_restrictions = permit_mynetworks, reject_unauth_pipelining,
> >> reject_unknown_sender_domain, reject_non_fqdn_sender
>
> > Your restrictions can be shortended to:
>
> > smtpd_client_restrictions =
> > smtpd_helo_restrictions =
> > smtpd_sender_restrictions =
>
> > smtpd_recipient_restrictions =
> > permit_mynetworks
> > reject_unauth_destination
> > reject_invalid_hostname
> > reject_unknown_hostname
> > reject_non_fqdn_hostname
> > reject_unauth_pipelining
> > reject_unknown_client
> > reject_non_fqdn_recipient
> > reject_non_fqdn_sender
> > reject_unknown_sender_domain
> > reject_rbl_client sbl.spamhaus.org
> > reject_rbl_client relays.ordb.org
> > reject_rbl_client opm.blitzed.org
> > reject_rbl_client dun.dnsrbl.net
> > reject_rbl_client spam.dnsrbl.net
>
> >> unknown_local_recipient_reject_code = 450
>
> > unknown_local_recipient_reject_code = 550
>
> --
> Ralf Hildebrandt (Ralf.Hildebrandtcharite.de) spamtrapcharite.de
> http://www.postfix-book.com/ Tel. +49 (0)30-450 570-155
> Old programmers never die. They just can't C as well.
>

--
The Book of Postfix
<http://www.postfix-book.com>
SMTP AUTH debug utility:
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>