On 05.02.24 16:59, Mark via Postfix-users wrote:
Hi again Matus, oh, now I got it!
After your reply, I now have in my master.cf ($mua_*);
submission inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
submissions inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
for both 'submission' and 'submissions'.
as I said before, I would put there:
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
and set in main.cf:
mua_client_restrictions = permit_sasl_authenticated, check_client_access
static:{530 5.7.0 Authentication Required.}
mua_helo_restrictions =
so no mail would get through without authentication and clients attempting
that would get proper error message
- HELO from authenticated clients is not handled at all.
And in main.cf, I replaced smtpd_sender* and smtpd_recipient* with:
mua_sender_restrictions =
mua_recipient_restrictions =
I did not recommend you to change either of those.
They should be used for mail servers as you had them set up before.
Better set them back, so you don't affect receiving mail from mail servers.
setting mua_* variables in main.cf and using them in master.cf is just trick
to have settings for both "smtps" and "submission" in one place.
The "smtpd" processes use settings from main.cf, unless you redefine them in
master.cf. That's why you put "-o smtpd_*_restrictions=..." in master.cf.
mua_sender_restrictions =
reject_non_fqdn_sender,
reject_unlisted_sender,
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
move reject_unknown_sender_domain up, so you don't accept non-existing
domains from local ($mynetworks) or authenticated clients:
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unlisted_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated,
permit
If you set it like this, you don't need to set mua_sender_restrictions
in main.cf not use it in master.cf.
mua_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
....
check_policy_service unix:private/spf-policy,
permit
I think this is a better approach, if I did it correctly? Could you confirm
please?
I have tried to explain it before: you should not use DNSBLs in
submission/smtps services, as you can expect many your clients to connect
from shared or dynamic IP addresses, which are surelly listed in
zen.spamhaus.org maybe in other DNSBLs too.
You should keep smtpd_recipient_restrictions as it was before.
looking again at your paste:
>> >https://pastebin.mozilla.org/i5tMtPAk
you should drop from mua_recipient_restrictions everything perhaps except:
mua_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unauth_destination,
...perhaps add (for sure)
permit_sasl_authenticated,
reject
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
