Hi Noel, many thanks for reply. So if I need restrict sending to some recipients that are exactly in mynetworks (this postfix instance relays email to other email-application on the same host) I have to put check_recipient_access regexp:/etc/postfix/recipient.regexp before permit_mynetworks but have to warn any other admins do not place any OK rules in /etc/postfix/recipient.regexp?
I do understand that it is bad practice drop silently any email.. but I just need prevent sending auto-replies (NDR) from this "other" email-application to received "out of office" from remote hosts (legitimate users)... (too much useless email: backscatter(s) ---> entire world sends "out of office"---> to my "other" email-application via my postfix --> email-application sends NDR back to entire world as postmaster --> entire world sends "out of office" to my postmaster.. %) cool.. ) Tatiana On Fri, Aug 14, 2009 at 10:22 AM, Noel Jones<njo...@megan.vbhcs.org> wrote: > taphy wrote: >> >> Hi all, >> I'm not so experienced in dealing with postfix unfortunately and not sure >> if >> I'm not breaking something in my security with applying next >> smtpd_recipient_restrictions & etc (warn_if_reject - for testing period >> only, will remove it later): >> >> unknown_local_recipient_reject_code = 450 >> smtp_use_tls = yes >> smtpd_use_tls = no >> smtpd_tls_key_file = /etc/postfix/TLS/myhost.key >> smtpd_tls_cert_file = /etc/postfix/TLS/myhost.crt.selfsigned >> smtpd_tls_CAfile = /etc/postfix/TLS/myhost.crt.selfsigned >> smtpd_tls_loglevel = 2 >> smtpd_tls_received_header = yes >> >> smtpd_sender_restrictions = >> permit_mynetworks, >> check_sender_access hash:/etc/postfix/sender_checks, >> >> smtpd_recipient_restrictions = >> warn_if_reject check_recipient_access >> regexp:/etc/postfix/recipient.regexp, >> permit_mynetworks, >> reject_unauth_destination, > > your check_recipient_access map should go right here, just after > reject_unauth_destination. This prevents accidental open relay if you put > an OK in that file. > >> warn_if_reject reject_unknown_sender_domain, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client bl.spamcop.net, >> permit >> smtpd_helo_restrictions = warn_if_reject >> reject_invalid_hostname, >> smtpd_require_helo = yes >> default_destination_concurrency_limit = 10 >> default_process_limit = 50 >> >> in /etc/postfix/sender_checks: >> myhost.myfirstdomain.net REJECT >> localhost REJECT >> >> in /etc/postfix/recipient.regexp something like that (real regexp works >> ok, >> no problem): >> >> !/(^postmaster|^support|^(\+)?[0-9]+)@myseconddomain|(.*)@(myhost\.)?myfirstdomain/ >> 550 illegal recipient >> >> questions: >> How does check_recipient_access work in case of no matches for message >> were >> found in /etc/postfix/recipient.regexp: will such message be considered as >> ok and sent to recipient immediately or will pass further through the >> rest >> chain of rules in smtpd_recipient_restrictions? > > If no match is found, the next restriction in your list is tried. In your > above example, that would be permit_mynetworks. > >> Also I still have no clear understanding what does permit_mynetworks >> exactly mean in the context of smtpd_recipient_restrictions - is it >> allowance to >> send TO any of my networks or send FROM any of my networks? (in other >> words is "mynetworks" = sender or "mynetworks"= rcpt here) > > Any client IP listed in mynetworks will skip the rest of > smtpd_recipient_restrictions. This is independent of sender or recipient, > but based solely on the client IP. > >> >> the last question ( :) sorry for asking a lot ) - can I just silently drop >> messages with /etc/postfix/recipient.regexp without sending anything back >> to unsuccessful sender? > > You can, but generally this is considered bad practice. > REJECT should be sufficient for the vast majority of cases. Use DISCARD if > you want to accept a message and silently discard it. Note this affects all > recipients of a multi-recipient message. > > -- Noel Jones >
