On 1/21/2011 8:25 PM, Noel Jones wrote:
On 1/21/2011 7:13 PM, Mike Morris wrote:
On 01/21/2011 04:56 PM, Noel Jones wrote:
On 1/21/2011 5:08 PM, Condor wrote:
Hello,
i have postfix 2.7.2 and i have problem with restrictions. I setup
smtpd_recipient_restrictions here is my main.cf config file:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/helo_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_sender,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client pbl.spamhaus.org,
permit
That file pcre:/etc/postfix/recipient_checks.pcre contain:
/^\@/ 550 Invalid address format.
/[!%\@].*\@/ 550 This server disallows weird address syntax.
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/ OK
/^nobody\@/ REJECT
Don't escape the @ in pcre tables. ie:
/^nobody@/ REJECT nobody isn't here.
Additionally, doesn't this configuration make the server in question an
open relay? The recipient_checks.pcre file returns an OK when the RHS
of an email address is anything for an LHS of postmater, hostmaster, and
abuse, and it immediately precedes reject_unauth_destination in
smtpd_recipient_restrictions.
Yes, you're right. reject_unauth_destination should be directly after
permit_mynetworks, permit_sasl_authenticated.
What is the purpose of configuring recipient validation in such a
manner? The OP would be better served by correctly configuring the
proper address classes.
It's not uncommon to whitelist role accounts before anti-UCE checks,
and nothing wrong with using the same file to reject recipients that
should never receive mail. But the whitelist should always be *after*
reject_unauth_destination.
-- Noel Jones
As noel said, as long as you have everything defining custom policies,
like check_*_access or anything else relating going under
smtpd_recipient_restrictions to come AFTER reject_unauth_destination.
Also, as an anti-openrelay failsafe, you should put "OK 250 custom
message here" instead of "permit 250 custom message". OK says to keep
processing other restrictions but override any header,hostname, or etc
checks in this class; permit would override everything, causing open relay!
Speaking of access lists, a question Mike Morris may also have for 2.8,
we tried putting postscreen_access_list = permit_mynetworks,
permit_sasl_authenticated but it doesn't allow "permit_sasl_authenticated".
Jerrale G.
SC Senior Admin
