On Mon, Jan 26, 2009 at 10:15:44PM +0100, mouss wrote:
> This is useless. at this stage, the domain is yours (other domains have
> been rejected by the anti-relay control: reject_unauth_destination).
Nevertheless, if I don't put permit_mynetworks in both
smtpd_client_restrictions and smtpd_recipient_restrictions, email sent
to a mailman list address on the local server will be rejected because
it's considered an unauthorized relay when:
Jan 27 14:21:39 penguin postfix/smtpd[32089]: NOQUEUE: reject: RCPT from
localhost.localdomain[127.0.0.1]: 554 5.7.1 <exam...@hotmail.com>: Relay access
denied; from=<example.discuss-boun...@example.org> to=<exam...@hotmail.com>
proto=ESMTP helo=<penguin.example.org>
So, if I don't permit_mynetworks explicitly, mail sent to the mailman list
address is received, but can't be sent on to the list participants. I get
"relay access denied" when mailman attempts to resend the mail.
> consider putting all your checks under smtpd_recipient_restrictions.
Or not. From http://www.postfix.org/SMTPD_ACCESS_README.html:
Some people recommend placing ALL the access restrictions in the
smtpd_recipient_restrictions list. Unfortunately, this can result in
too permissive access.
I posted the relevant sections of my configuration, but I'll put the
output of postconf here to avoid argument:
$ sudo postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
default_destination_concurrency_limit = 3
delay_warning_time = 4
disable_vrfy_command = yes
mailbox_command = /usr/bin/procmail -p
mailbox_size_limit = 0
manpage_directory = /usr/share/man
masquerade_domains = codegnome.org asd-advocacy.org
independentlivingsupports.com
masquerade_exceptions = root
mydestination = $myhostname $mydomain localhost
localhost.localdomain localhost.$mydomain AAAAAAAAAA.com
mydomain = codegnome.org
mynetworks = 127.0.0.0/8 192.168.11.0/24
myorigin = /etc/mailname
owner_request_special = no
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_destination_recipient_limit = 5
relayhost = smtp.charter.net
sample_directory = /usr/share/doc/postfix/examples
setgid_group = postdrop
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org
check_client_access hash:/etc/postfix/domain_access permit_mynetworks
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination reject_unknown_recipient_domain
check_recipient_mx_access hash:/etc/postfix/recipient_mx_access
check_recipient_access hash:/etc/postfix/recipient_access
check_policy_service inet:127.0.0.1:60000
smtpd_sender_restrictions = check_sender_mx_access
hash:/etc/postfix/sender_mx_access check_sender_access
hash:/etc/postfix/sender_access reject_unknown_sender_domain
smtpd_soft_error_limit = 2
My educated guess is that it has something to do with
reject_unauth_destination in the smtpd_recipient_restrictions, but I'm
not sure how that is being evaluated in this particular context.
--
"Oh, look: rocks!"
-- Doctor Who, "Destiny of the Daleks"
