Hello All,
I want to confirm that what I want to try wont break anything. I want to
use a CIDR list and reject messages.
That I can tell I need to do this:
smtpd_client_restrictions =
check_client_access cidr:/usr/local/etc/postfix/maps/ip.cidr,
permit
But I don't want to conflict with anything else I am doing.
I was going to insert this where I typed in " XXXXXXXXXXXX I want to add
code HERE XXXXXXXXXXXXXXXXXX" below.
Do I need to do more to allow more things within the
smtpd_client_restrictions = or will it work to basically say reject those
IP's then allow everything else?
Also to test this do I put in the CIDR file:
123.234.32.8 WARN CIDR Rejection
Instead of 123.234.32.8 REJECT CIDR Rejction
Thanks!!!
#-----< Base Postfix Confuration Options
>-------------------------------------------------
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain
myhostname = mail.myserver.net
mynetworks =
127.0.0.0/8
# -----< Stop Forged Mail from Freemail places
>-----------------------------------------
smtpd_restriction_classes = from_freemail_host
from_freemail_host = check_client_access hash:/etc/postfix/freemail_hosts,
reject
# -----< Options
>-----------------------------------------------------------------------
mail_spool_directory = /var/spool/mail
delay_warning_time = 24h
biff = no
soft_bounce = no
smtpd_delay_reject = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 3
show_user_unknown_table_name = no
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
deliver_lock_attempts = 10
# -----< SMTP AUTH
>---------------------------------------------------------------------
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# -----< Virtual
>-----------------------------------------------------------------------
virtual_maps = hash:/etc/postfix/virtual
hash:/etc/postfix/local-host-names
alias_maps = hash:/etc/postfix/aliases
mx_access = hash:/etc/postfix/mx_access
relay_domains = /etc/postfix/backup_domains
transport_maps = hash:/etc/postfix/transport,
hash:/etc/postfix/transport_bounce
relay_recipient_maps = hash:/etc/postfix/backup_domains_recipients,
hash:/etc/postfix/transport_recipients
XXXXXXXXXXXX I want to add code HERE XXXXXXXXXXXXXXXXXX
# -----<smtpd_recipient_restrictions
>----------------------------------------------------
smtpd_recipient_restrictions =
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rhsbl_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
check_helo_access hash:/etc/postfix/helo_access,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
# -----< SPF
>---------------------------------------------------------------------------
-
check_policy_service unix:private/policy,
# -----< Greylisting
>--------------------------------------------------------------------
# check_policy_service unix:private/tumgreyspf
#------< client/sender checks for both relay and reject
>---------------------------------
check_sender_access hash:/etc/postfix/client_checks,
check_client_access hash:/etc/postfix/client_checks,
# -----< Forged Freeail Domains
>---------------------------------------------------------
check_sender_access hash:/etc/postfix/freemail_access,
# -----< Verisign Hijack Reject
>---------------------------------------------------------
check_recipient_mx_access hash:/etc/postfix/mx_access,
reject_unauth_pipelining,
# ---------< RBL's
>----------------------------------------------------------------------
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client psbl.surriel.com,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client b.barracudacentral.org,
# ---------< Limits
>---------------------------------------------------------------------
message_size_limit = 26000000
mailbox_size_limit = 55000000
body_checks_size_limit = 21200
bounce_size_limit = 2048
maximal_queue_lifetime = 5d
bounce_queue_lifetime = 1d
tumgreyspf_time_limit = 3600
policy_time_limit = 3600
# ---------< Content Check
>--------------------------------------------------------------
body_checks = pcre:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
data_directory = /var/lib/postfix
