Todd A. Jacobs a écrit : > I'm running a mailman server, and was receiving a lot of errors like the > following: > > Jan 26 07:36:39 host postfix/smtpd[13212]: NOQUEUE: reject: RCPT from > localhost.localdomain[127.0.0.1]: 554 5.7.1 <f...@remote.example.com>: Relay > access denied; from=<example.list-boun...@example.org> > to=<f...@remote.example.com> proto=ESMTP helo=<host.example.org> > > I figured the problem was that I didn't have "permit_mynetworks" > somewhere. It seems to work with the following: > > mydestination = > $myhostname > $mydomain > localhost > localhost.localdomain > localhost.$mydomain > mynetworks = > 127.0.0.0/8 > 192.168.11.0/24 > smtpd_helo_required = yes > smtpd_delay_reject = yes > smtpd_client_restrictions = > reject_unauth_pipelining
This is useless. put it under smtpd_data_restrictions. > reject_rbl_client zen.spamhaus.org > check_client_access hash:/etc/postfix/domain_access > permit_mynetworks permit_mynetworks is useless here, because the default is permit. > smtpd_helo_restrictions = > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > reject_unknown_helo_hostname > smtpd_sender_restrictions = > check_sender_mx_access hash:/etc/postfix/sender_mx_access > check_sender_access hash:/etc/postfix/sender_access > reject_unknown_sender_domain > smtpd_recipient_restrictions = > permit_mynetworks > reject_unauth_destination > reject_unknown_recipient_domain This is useless. at this stage, the domain is yours (other domains have been rejected by the anti-relay control: reject_unauth_destination). > check_recipient_mx_access hash:/etc/postfix/recipient_mx_access This too is useless. > check_recipient_access hash:/etc/postfix/recipient_access > check_policy_service inet:127.0.0.1:60000 consider putting all your checks under smtpd_recipient_restrictions. > smtpd_error_sleep_time = 5 > smtpd_soft_error_limit = 2 > owner_request_special = no > > but it looks like I had to list permit_mynetworks twice: once in > recipients, and once in clients. So, three questions, really: > > 1. Do I really need it in both places? It seems so from trial and > error, but maybe I'm just not understanding the evaluation order. > a permit inside a restriction skips checks in _that_ restriction. > 2. Isn't having permit_mynetworks as the first item under > smtpd_recipient_restrictions setting me up for anyone who spoofs > 127.0.0.1 as the destination IP address? IP spoofing in TCP is not as easy as in UDP. anyway, 127.0.0.1 should never appear on the wire. so use your firewall to block any packet on the network (not on loopback) that has this IP as source or destination. This is generally part of the so-called "anti-spoofing rules". Of course, if you have a misconfigured or vulnerable proxy on the machine, or if you have a misconfigured NAT (that redirects to/from 127.0.0.1), then an attacker could use it to reach other services. but in this case, the problem is a big one and should be fixed. > I thought the web site > recommended putting it at the bottom of the evaluation order. > which web site? in all examples, permit_mynetworks is at the beginning (generally first). > 3. Isn't having permit_mynetworks under client restrictions exposing > me to anyone who spoofs localhost during the SMTP connection > setup? > see above. > I'm completely willing to own up to PEBKAC on this one, but I *have* > read the manuals on this issue...I just haven't grokked them fully. >
