On Sunday 26 July 2009 07:19:39 pm Magnus Bäck wrote: > On Sunday, July 26, 2009 at 23:58 CEST, > Pablo Yaggi <pya...@alsurdelsur.com> wrote: > > > I'm running postfix as a virtual mail server and I have the > > following issue, relay control is working fine with pop-before-smtp, > > but still get spam passing through because when a spammer puts the > > "From" header with any of my virtual domains and a "Rcpt" also is on > > the virtual domains no authentication is required because > > pop-before-smtp only authenticates for relay. > > So the question is, is it possible to condition the smtp access > > to deny access when the destination is local and the user is local and > > the client agent IP is not in pop-before-smtp database ? > > I suggest you use SASL instead of POP-before-SMTP and use the > smtpd_sender_login_maps feature. But I'm running a mass virtual hosting server, if i use authenticated smtp, it will not prevent for external smtp to deliver mail to my users ?
> > But you can do something similar with POP-before-SMTP. > > main.cf: > smtpd_restriction_classes = permit_pop_before_smtp > permit_pop_before_smtp = > check_client_access hash:/etc/postfix/pop-before-smtp > smtpd_sender_restrictions = check_sender_access hash:/path/to/file > > /path/to/file: > example.com permit_pop_before_smtp, reject > > example.com is a domain that you want to protect from non-POPed clients. > This will prevent anyone how tries to send mail to example.com need to be authenticated, but external smtp needs no authentication. What I need is to example.com (if example.com is in my virtuals) to be protected from non-POPed clients when the signature of the mail (the FROM) is IN my virtuals. In other words, i need clients of my servers to be pop-authenticated what ever they want to do, meaning relay or not relay. And outsiders need no authentication to deliver to my locals if they are not rbl listed. > [...] > > > these are my current restrictions: > > smtpd_recipient_restrictions = permit_mynetworks, > > check_client_access hash:/etc/postfix/pop-before-smtp, > > reject_authenticated_sender_login_mismatch, > > permit_sasl_authenticated, > > These last two lines don't make any sense unless you use SASL. > > > reject_unauth_destination, > > reject_unauth_pipelining, > > check_recipient_maps, > > check_recipient_maps has been deprecated for years. Use > reject_unlisted_recipient instead. > > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_rbl_client sbl-xbl.spamhaus.org, > > reject_rbl_client bl.spamcop.net, > > reject_rbl_client list.dsbl.org, > > dsbl.org is dead. Remove it. ok, I'm on it > > > reject_rhsbl_client sbl-xbl.spamhaus.org, > > reject_rhsbl_client bl.spamcop.net, > > reject_rhsbl_client list.dsbl.org, > > reject_rhsbl_sender sbl-xbl.spamhaus.org, > > reject_rhsbl_sender bl.spamcop.net, > > reject_rhsbl_sender list.dsbl.org, > > permit_auth_destination, > > reject > > The two last ones serve no purpose. removed ... Thank's a lot
