On 4/22/2010 6:17 PM, Oliver Schinagl wrote:
Well what I'm after is the following:
Postfix should be nice and locked, no relaying or anything like that;
backup_max's should be allowed to relay of course, and users who have
logged in properly via, say thunderbird (using sasl_auth).
Also I would like to use public RBL's to lower the load on my spamfilter
etc so they shouldn't even come in.
Here's what I have in my postconf now:
mydomain = example.com
myhostname = foo.example.com
mynetworks_style = host
OK, you're not defining mynetworks, permit_mynetworks should
only allow your host's IPs. That's fine.
relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
Using relay_domains without relay_recipient_maps is strongly
discouraged. Your queue will get clogged with undeliverable
mail and eventually you'll be blacklisted as a backscatter source.
smtpd_banner = $myhostname NO UCE ESMTP
That must be
smtpd_banner = $myhostname ESTMP comments...
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
bl.spamcop.net
"permit_mx_backup" is evil and disabling your RBL lookups.
Don't use permit_mx_backup. If you run a backup MX for other
domains, list those domains in relay_domains and the
recipients in relay_recipient_maps.
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
This should be
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
It's not nice to reject authorized clients just because their
mail client happens to bork the HELO name.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, check_policy_service
inet:127.0.0.1:2525, reject_unauth_destination
Remove permit_mx_backup, it's disabling all your other checks.
smtpd_sasl_authenticated_header = no
I like this set to "yes", but that's just me.
smtpd_sasl_security_options = noanonymous
Caution, this setting allows plain text passwords to be sent
unencrypted. Safer (but harder for testing and maybe less
compatible):
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_tls_security_options = noanonymous
and my master.cf:
smtp inet n - n - 4 smtpd
-o content_filter=amavis:[127.0.0.1]:10024
-o receive_override_options=no_address_mappings
submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
You might want to add here
-o smptd_sender_restrictions=
to prevent main.cf parameters from interfering.
Otherwise, looks reasonable. Remove your permit_mx_backup and
everything should be dandy.
-- Noel Jones
