OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: smtpd_restrictions sanity check

From: mouss (moussml.netoyen.net)
Date: Sun Nov 01 2009 - 08:37:53 CST

Alex a écrit :
> Hi all,
>
> Hopefully I don't have the most frequently asked question, but I'm
> spinning my wheels and perhaps followed some bad advice. I hoped
> someone could look over my recipient restrictions to see if I'm making
> some kind of mistake:
>
> smtpd_recipient_restrictions =
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> check_client_access hash:/etc/postfix/client_checks,
> check_recipient_access pcre:/etc/postfix/relay_recips_checks,
> check_helo_access hash:/etc/postfix/helo_checks,
> check_sender_access hash:/etc/postfix/sender_checks,
> check_sender_access hash:/etc/postfix/disallow_my_domain,
> permit_mynetworks,
> check_recipient_access pcre:/etc/postfix/recipient_checks,
> reject_unauth_destination,
> reject_maps_rbl,
> permit
>

smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        permit_mynetworks
        #permit_sasl_authenticated
        reject_unauth_destination
        #
        reject_invalid_hostname
        reject_non_fqdn_hostname
        reject_unknown_sender_domain
        #
        check_client_access hash:/etc/postfix/client_checks
        check_recipient_access pcre:/etc/postfix/relay_recips_checks
        check_helo_access hash:/etc/postfix/helo_checks
        check_sender_access hash:/etc/postfix/sender_checks
        check_sender_access hash:/etc/postfix/disallow_my_domain
        check_recipient_access pcre:/etc/postfix/recipient_checks
        #
        reject_rbl_client zen.spamhaus.org
        

> I originally had permit_mynetworks further up, but it seems
> client_checks was then being ignored, despite the client not being on
> my network.
>
> I'm now trying to provide a mail server that is not part of my
> networks to my network.
>
> I also have a handful of cron scripts that run on this remote network
> that send mail to my network, but with internal hostnames that aren't
> resolvable once they reach my network. Do I just add them to my
> postfix hosts file or is there a way to avoid checking the hostname
> (sender access?) so they aren't rejected with "Sender address
> rejected: Domain not found"?
>
> Thanks,
> Alex