On Sunday, July 26, 2009 at 23:58 CEST,
Pablo Yaggi <pya...@alsurdelsur.com> wrote:
> I'm running postfix as a virtual mail server and I have the
> following issue, relay control is working fine with pop-before-smtp,
> but still get spam passing through because when a spammer puts the
> "From" header with any of my virtual domains and a "Rcpt" also is on
> the virtual domains no authentication is required because
> pop-before-smtp only authenticates for relay.
> So the question is, is it possible to condition the smtp access
> to deny access when the destination is local and the user is local and
> the client agent IP is not in pop-before-smtp database ?
I suggest you use SASL instead of POP-before-SMTP and use the
smtpd_sender_login_maps feature.
But you can do something similar with POP-before-SMTP.
main.cf:
smtpd_restriction_classes = permit_pop_before_smtp
permit_pop_before_smtp =
check_client_access hash:/etc/postfix/pop-before-smtp
smtpd_sender_restrictions = check_sender_access hash:/path/to/file
/path/to/file:
example.com permit_pop_before_smtp, reject
example.com is a domain that you want to protect from non-POPed clients.
[...]
> these are my current restrictions:
> smtpd_recipient_restrictions = permit_mynetworks,
> check_client_access hash:/etc/postfix/pop-before-smtp,
> reject_authenticated_sender_login_mismatch,
> permit_sasl_authenticated,
These last two lines don't make any sense unless you use SASL.
> reject_unauth_destination,
> reject_unauth_pipelining,
> check_recipient_maps,
check_recipient_maps has been deprecated for years. Use
reject_unlisted_recipient instead.
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client list.dsbl.org,
dsbl.org is dead. Remove it.
> reject_rhsbl_client sbl-xbl.spamhaus.org,
> reject_rhsbl_client bl.spamcop.net,
> reject_rhsbl_client list.dsbl.org,
> reject_rhsbl_sender sbl-xbl.spamhaus.org,
> reject_rhsbl_sender bl.spamcop.net,
> reject_rhsbl_sender list.dsbl.org,
> permit_auth_destination,
> reject
The two last ones serve no purpose.
--
Magnus Bäck
mag...@dsek.lth.se
