On 01/21/2011 05:25 PM, Noel Jones wrote: > On 1/21/2011 7:13 PM, Mike Morris wrote: >> On 01/21/2011 04:56 PM, Noel Jones wrote: >>> On 1/21/2011 5:08 PM, Condor wrote: >>>> >>>> Hello, >>>> i have postfix 2.7.2 and i have problem with restrictions. I setup >>>> smtpd_recipient_restrictions here is my main.cf config file: >>>> >>>> smtpd_recipient_restrictions = >>>> permit_mynetworks, >>>> permit_sasl_authenticated, >>>> check_helo_access hash:/etc/postfix/helo_checks, >>>> check_sender_access hash:/etc/postfix/helo_checks, >>>> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, >>>> reject_unauth_destination, >>>> reject_invalid_hostname, >>>> reject_unauth_pipelining, >>>> reject_non_fqdn_sender, >>>> reject_unknown_sender_domain, >>>> reject_non_fqdn_recipient, >>>> reject_unknown_recipient_domain, >>>> reject_unlisted_sender, >>>> reject_rhsbl_client blackhole.securitysage.com, >>>> reject_rhsbl_sender blackhole.securitysage.com, >>>> reject_rbl_client relays.ordb.org, >>>> reject_rbl_client blackholes.easynet.nl, >>>> reject_rbl_client cbl.abuseat.org, >>>> reject_rbl_client proxies.blackholes.wirehub.net, >>>> reject_rbl_client bl.spamcop.net, >>>> reject_rbl_client sbl.spamhaus.org, >>>> reject_rbl_client opm.blitzed.org, >>>> reject_rbl_client dnsbl.njabl.org, >>>> reject_rbl_client list.dsbl.org, >>>> reject_rbl_client multihop.dsbl.org, >>>> reject_rbl_client pbl.spamhaus.org, >>>> permit >>>> >>>> That file pcre:/etc/postfix/recipient_checks.pcre contain: >>>> /^\@/ 550 Invalid address format. >>>> /[!%\@].*\@/ 550 This server disallows weird address syntax. >>>> /^postmaster\@/ OK >>>> /^hostmaster\@/ OK >>>> /^abuse\@/ OK >>>> /^nobody\@/ REJECT >>> >>> Don't escape the @ in pcre tables. ie: >>> /^nobody@/ REJECT nobody isn't here. >>> >> >> Additionally, doesn't this configuration make the server in question an >> open relay? The recipient_checks.pcre file returns an OK when the RHS >> of an email address is anything for an LHS of postmater, hostmaster, and >> abuse, and it immediately precedes reject_unauth_destination in >> smtpd_recipient_restrictions. > > Yes, you're right. reject_unauth_destination should be > directly after permit_mynetworks, permit_sasl_authenticated. > >> >> What is the purpose of configuring recipient validation in such a >> manner? The OP would be better served by correctly configuring the >> proper address classes. > > It's not uncommon to whitelist role accounts before anti-UCE > checks,
Yeah, I realized why this might be useful after I sent my last response. Years ago I gave up and started subjecting role accounts to anti-UCE rules, so I suppose such a purpose doesn't immediately register with me any more. -Mike
