Le 22/11/2010 20:04, Carlos Mennens a écrit :
On Mon, Nov 22, 2010 at 1:00 PM, Rich Shepard<rshep...@appl-ecosys.com> wrote:
Carlos,
I use a badaddr file that lists domains from whom I will not accept
messages. The content looks like these:
hostforreal.com 550 Rejected domain D23
nasty-mailings.com 550 Rejected domain D24
I've done the same and mine looks simular:
[r...@mail postfix]# cat client_access
bluehornet.com REJECT Rejected Domain
But my confusion with Postfix has always been where to add then map
check under which specific smtpd_*_restriction(s). According to "The
Book of Postfix" I am still very confused:
- smtpd_client_restrictions = applies to the client's IP address or
its hostname or both.
- smtpd_recipient_restrictions = applies to the envelope recipient(s),
the envelope sender, the HELO/EHLO argument, and client IP / hostname
or both.
- smtpd_sender_restrictions = This is the 1st trigger set that
restricts parts of the envelope. Postfix applies to the envelope
sender, the HELO/EHLO argument, and the client.
So with that defined above, how am I to understand or determine where
I would add my 'client_access' check in my main.cf? According to the
definitions above, the 'smtpd_recipient_restirctions' looks like it
runs the specific map against every aspect of the sender rather than
the other two. It seems like the logical choice, no? I apologize if
I'm just dumb when it comes to Postfix but I'm really putting time and
effort in to trying to understand this so I wont have to annoy most
with my ignorance.
In the UCE section of /etc/postfix/main.cf I have this line:
check_client_access hash:/etc/postfix/badaddr,
and it kicks back messages from the listed domains.
Also, I use a badip file for specific IP addresses and address blocks.
Where do you have those listed under in your main.cf?
smtpd_recipient_restrictions = check_badaddr hash:/etc/postfix/badaddr ?
Put all your anti-spam checks under smtpd_recipient_restrictions, but be
careful not become an open relay: for safety, put check_*_access after
reject_unauth_destination.
here is an example to get you started.
Note 1: you need to understand before use. anything you do is under your
own responsibility!
Note 2: order is important. order your checks as needed.
#db = hash:/etc/postfix/maps/hash
db = cdb:/etc/postfix/maps/cdb
pcre = pcre:/etc/postfix/maps/pcre
cidr = cidr:/etc/postfix/maps/cidr
sql = proxy:mysql:/etc/postfox/maps/mysql
smtpd_recipient_restrictions =
#reject_non_fqdn_sender
#reject_non_fqdn_recipient
#
#permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
#
reject_unlisted_recipient
reject_unlisted_sender
#
#reject_invalid_helo_hostname
#reject_non_fqdn_helo_hostname
#
#check_recipient_access ${db}/access_recipient
#
#check_client_access ${cidr}/access_client
#check_client_access ${db}/access_client
#
#check_sender_access ${db}/access_sender
#check_sender_access ${pcre}/access_sender
#
#check_helo_access ${db}/access_helo
#check_helo_access ${db}/access_host
#check_reverse_client_hostname_access ${db}/access_host
# DNSBL checks
#reject_rbl_client zen.spamhaus.org
#reject_rbl_client bl.spamcop.net
#reject_rbl_client psbl.surriel.com
#reject_rbl_client korea.services.net
#reject_rbl_client bb.barracudacentral.org
== access_recipient
ab...@example.com OK
postmas...@example.com OK
#opt-out from checks
spamlo...@example.com
#reject extension
joe+old...@example.com
#use a spcieific restriction class
example.net policy_dothat
.example.net policy_dothat
== access_sender
# reject a specific user
no...@gooddomain.example REJECT blah blah
# reject a full domain
evil.example REJECT spammy domain
.evil.example REJECT spammy domain
== ${cidr}/access_client
#whitelist
192.0.2.0/24 OK
#blacklist
192.168.1.2/32 OK
10.1.0.0/16 REJECT blah blah
== ${db}/access_client
# whitelist
good.example OK
.good.example OK
# block
bad.example REJECT blah blah
.bad.example REJECT blah blah
