Am 15.03.2011 20:34, schrieb Victor Duchovni: > On Tue, Mar 15, 2011 at 08:27:44PM +0100, Reindl Harald wrote: > >>> The above does not do an exact job of setting policy for internal senders, >>> since some internal senders send mail to internal recipients. It is far >>> better to run to separate services each with simpler policies that apply >>> just to the service at hand. >> >> i tried it some minutes ago on the live-machine and it works beautiful > > Clearly you tried something other than I was primarily trying to > recommend...
my test was before your answer, did not thought you are so devil fast :-) >> smtpd_helo_restrictions = permit_mynetworks, >> reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient, >> reject_non_fqdn_sender, permit_sasl_authenticated, >> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, >> reject_unknown_helo_hostname >> >> smtpd_sender_restrictions = reject_unlisted_sender, permit_mynetworks, >> reject_authenticated_sender_login_mismatch, >> reject_non_fqdn_recipient, reject_non_fqdn_sender, >> permit_sasl_authenticated, reject_unknown_sender_domain, >> reject_unknown_recipient_domain >> >> smtpd_recipient_restrictions = reject_unlisted_sender, permit_mynetworks, >> reject_authenticated_sender_login_mismatch, reject_non_fqdn_recipient, >> reject_non_fqdn_sender, >> permit_sasl_authenticated, reject_unauth_destination, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, reject_invalid_hostname, >> reject_unauth_pipelining, reject_rbl_client >> dnsbl-1.uceprotect.net, check_policy_service >> unix:/var/spool/postfix/postgrey/socket, check_recipient_access >> mysql:/etc/postfix/mysql-spamfilter.cf > > These look much too complex. No need to keep checking the same things > over and over again, provided you set "smtpd_helo_required = yes", the > helo checks cannot be bypassed, so far example, you needlessly perform > the sender login mismatch check 3 times... "smtpd_helo_required = yes" -> true if i understand this correct "smtpd_sender_restrictions" can be totally removed and "smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname" would be enough combined with "smtpd_helo_required"? regards from austria
signature.asc
Description: OpenPGP digital signature
