taphy wrote:
Hi all,
I'm not so experienced in dealing with postfix unfortunately and not sure if
I'm not breaking something in my security with applying next
smtpd_recipient_restrictions & etc (warn_if_reject - for testing period
only, will remove it later):
unknown_local_recipient_reject_code = 450
smtp_use_tls = yes
smtpd_use_tls = no
smtpd_tls_key_file = /etc/postfix/TLS/myhost.key
smtpd_tls_cert_file = /etc/postfix/TLS/myhost.crt.selfsigned
smtpd_tls_CAfile = /etc/postfix/TLS/myhost.crt.selfsigned
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_sender_restrictions =
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_checks,
smtpd_recipient_restrictions =
warn_if_reject check_recipient_access
regexp:/etc/postfix/recipient.regexp,
permit_mynetworks,
reject_unauth_destination,
your check_recipient_access map should go right here, just
after reject_unauth_destination. This prevents accidental
open relay if you put an OK in that file.
warn_if_reject reject_unknown_sender_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit
smtpd_helo_restrictions =
warn_if_reject reject_invalid_hostname,
smtpd_require_helo = yes
default_destination_concurrency_limit = 10
default_process_limit = 50
in /etc/postfix/sender_checks:
myhost.myfirstdomain.net REJECT
localhost REJECT
in /etc/postfix/recipient.regexp something like that (real regexp works ok,
no problem):
!/(^postmaster|^support|^(\+)?[0-9]+)@myseconddomain|(.*)@(myhost\.)?myfirstdomain/
550 illegal recipient
questions:
How does check_recipient_access work in case of no matches for message were
found in /etc/postfix/recipient.regexp: will such message be considered as
ok and sent to recipient immediately or will pass further through the rest
chain of rules in smtpd_recipient_restrictions?
If no match is found, the next restriction in your list is
tried. In your above example, that would be permit_mynetworks.
Also I still have no clear understanding what does permit_mynetworks exactly
mean in the context of smtpd_recipient_restrictions - is it allowance to
send TO any of my networks or send FROM any of my networks?
(in other words is "mynetworks" = sender or "mynetworks"= rcpt here)
Any client IP listed in mynetworks will skip the rest of
smtpd_recipient_restrictions. This is independent of sender
or recipient, but based solely on the client IP.
the last question ( :) sorry for asking a lot ) - can I just silently drop
messages with /etc/postfix/recipient.regexp without sending anything back
to unsuccessful sender?
You can, but generally this is considered bad practice.
REJECT should be sufficient for the vast majority of cases.
Use DISCARD if you want to accept a message and silently
discard it. Note this affects all recipients of a
multi-recipient message.
-- Noel Jones
