On Fri, Nov 15, 2024 at 09:21:45PM +0800, Hua Y via Postfix-users wrote:
>
> Hi list
>
> can you help check if my options for smtps/submission are correct?
>
> in master.cf:
>
> ascleanup unix n - y - 0 cleanup
> -o header_checks=pcre:/etc/postfix/header_checks_submission
>
> smtps inet n - y - - smtpd
> -o syslog_name=postfix/smtps
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_wrappermode=yes
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o cleanup_service_name=ascleanup
>
> submission inet n - y - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_auth_only=yes
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o cleanup_service_name=ascleanup
You'd typically want some more options to turn off all the other
restrictions that main.cf may define for the port 25 inbound SMTP
service.
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
And in "ascleanup", you might want to explicitly configure:
# Or empty, if you don't want any MIME header checks
-o mime_header_checks=$header_checks
# Or empty, if you don't want any checks on the primary headers of
# attached messages
-o nested_header_checks=$header_checks
If you have any milters (other than DKIM signing), you might
want to disable those explicitly as well. And to make sure
that DKIM signing only happens for outbound mail, regardless
of header forgery, ... For both submission services:
-o milter_macro_daemon_name=ORIGINATING
and make sure that the milter is configured to check for this.
The stock master.cf file from the source distribution contains the
below, which you should consider a good starting point to take under
consideration. I'm not sure why the data and end_of_data restrictions
are not set empty in these, perhaps an oversight.
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_forbid_unauth_pipelining=no
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#submissions inet n - n - - smtpd
# -o syslog_name=postfix/submissions
# -o smtpd_forbid_unauth_pipelining=no
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o local_header_rewrite_clients=static:all
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
--
VIktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
