On 04/23/10 00:45, Noel Jones wrote: > On 4/22/2010 5:16 PM, Oliver Schinagl wrote: >> On 04/22/10 19:21, /dev/rob0 wrote: >>> On Wed, Apr 21, 2010 at 09:49:49PM -0500, Noel Jones wrote: >>> >>>> "submission" is commented out in the default postfix config because >>>> a relatively small subset of folks using postfix need it, and it's >>>> not nice to open ports not needed. >>>> >>> I would say that the subset is (or will soon be) a majority of sites, >>> given the widespread blocking of port 25 for end users. However, as a >>> default, it would not make sense to enable submission, because it >>> relies on external software to provide SASL AUTH. Postfix is designed >>> to work stand-alone, out of the box. >>> >>> In another part of this thread, the OP mentioned having read that >>> "smtpd_delay_reject = no" was a good idea. Much thought has gone into >>> Postfix default settings. Sometimes these defaults need to be changed >>> for a site, but the best thing to do is to consult the documentation >>> and find what the reasoning was for the default setting. The default >>> smtpd_delay_reject=yes makes good sense in most cases. Inexperienced >>> people often think that getting rid of them at CONNECT is going to >>> save bandwidth, but there is no evidence to support this. It's just >>> as likely that poorly-coded spam clients are going to connect again >>> and keep trying. Penny wise, pound foolish. >>> >> I haven't tried whether my sasl auth on default port works now, but I >> have noticed a huge increase in spam getting passed; I haven't looked if >> I can do RBL in amavis (i should?) But postfix isn't rejecting any RBL >> anymore with the SMTP relay yes? > > Unrelated. The setting of smtpd_delay_reject will have no effect on > RBL lookups. If your RBLs aren't working anymore, you should double > check the other things you changed. > > You should leave smtpd_delay_reject at its default setting of yes > unless you have a full understanding of why you might or might not > want to change it. Indeed, all the postfix default settings are > carefully chosen and shouldn't be changed without careful research or > advice from a reliable source[1]. > > [1]Advice you receive on this list can be considered peer-reviewed and > reliable. Advice found on the postfix.org web site can be considered > authoritative and accurate. Advice found on some google-suggested web > site may or may not have been peer-reviewed, and may or may not be > accurate or current; use with caution. > > If you need help, you know the drill -- "postconf -n" and logs > showing the problem. > Well what I'm after is the following:
Postfix should be nice and locked, no relaying or anything like that; backup_max's should be allowed to relay of course, and users who have logged in properly via, say thunderbird (using sasl_auth). Also I would like to use public RBL's to lower the load on my spamfilter etc so they shouldn't even come in. Here's what I have in my postconf now: biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = "Sorry, the recipients mailbox is currently full. Please try again later." virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = ".Trash" virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf and my master.cf: smtp inet n - n - 4 smtpd -o content_filter=amavis:[127.0.0.1]:10024 -o receive_override_options=no_address_mappings submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING # Also send smtps received mail to amavis. smtps inet n - n - - smtpd -o content_filter=amavis:[127.0.0.1]:10024 -o receive_override_options=no_address_mappings -o smtpd_tls_wrappermode=yes >> I suppose I could override smtpd_delay on port 587 via master.cf and >> have it set to 'no' in my postfix.conf, and just live with the idea that >> port 25 is kinda off limits for regular 'users' from now on? It sits >> wrong with me in a sense, but I'm sure i just don't get postfix's >> main.cf enough :( > > While there are good reasons to only offer AUTH on port 587, this > isn't one of them. > > > -- Noel Jones I suppose offering mail on 587 will still be good, to have that option. Oliver
