On Tue, Mar 15, 2011 at 08:27:44PM +0100, Reindl Harald wrote:
> > The above does not do an exact job of setting policy for internal senders,
> > since some internal senders send mail to internal recipients. It is far
> > better to run to separate services each with simpler policies that apply
> > just to the service at hand.
>
> i tried it some minutes ago on the live-machine and it works beautiful
Clearly you tried something other than I was primarily trying to
recommend...
> smtpd_helo_restrictions = permit_mynetworks,
> reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient,
> reject_non_fqdn_sender, permit_sasl_authenticated,
> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
> reject_unknown_helo_hostname
>
> smtpd_sender_restrictions = reject_unlisted_sender, permit_mynetworks,
> reject_authenticated_sender_login_mismatch,
> reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_sasl_authenticated,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain
>
> smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks,
> reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> permit_sasl_authenticated, reject_unauth_destination,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_invalid_hostname,
> reject_unauth_pipelining, reject_rbl_client
> dnsbl-1.uceprotect.net, check_policy_service
> unix:/var/spool/postfix/postgrey/socket, check_recipient_access
> mysql:/etc/postfix/mysql-spamfilter.cf
These look much too complex. No need to keep checking the same things
over and over again, provided you set "smtpd_helo_required = yes", the
helo checks cannot be bypassed, so far example, you needlessly perform
the sender login mismatch check 3 times...
--
Viktor.