|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 2.2.8 + amavisd + postgrey
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Mon Feb 06 2006 - 10:57:16 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Feb 06, 2006 at 10:47:03AM -0600, Bill Bradford wrote:
> On Mon, Feb 06, 2006 at 10:41:41AM -0600, Bill Bradford wrote:
> > "The Book of Postfix" by Ralf Hildebrant and Patrick Koetter.
> > Page 95, "Preventing Obvious Forgeries":
> > "To put the map in action, specify it (and its type) as an argument to the
> > check_helo_access option in your smtpd_recipient_restrictions parameter.
> > Here's how it might look:
> > smtpd_recipient_restrictions=
> > ...
> > check_helo_access pcre:/etc/postfix/helo_checks"
>
> I'm not trying to be snarky here; I'm just trying to understand where
> things should properly go.
>
There is no single answer to this question. Or perhaps more explicitly:
Restriction order is a matter of programming in a small language
where first match wins. The right place to add a new constraint
depends strongly on the location of existing constraints and
the problem being solved.
In your case:
permit_mynetworks,
permit_mx_backup,
permit_auth_destination (reduntant)
reject_unauth_destination
...
is wrong, because after permit_mynetworks (permit outbound mail for
authorized clients) and permit_mx_backup (which permits all inbound mail),
the only correct thing to do is to "reject" all other mail (which is
here less efficiently expressed via "reject_unauth_destination").
It is difficult to use permit_mx_backup with other UCE checks without
risking becoming an open relay when you whitelist the exceptions.
If at all possible:
- Learn to understand rather than parrot the restriction language
- Avoid permit_mx_backup like the plague.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]