On Thu, Apr 07, 2011 at 12:56:41PM -0400, Victor Duchovni wrote: > On Thu, Apr 07, 2011 at 06:42:22PM +0200, G?bor L?n?rt wrote: > > > On Thu, Apr 07, 2011 at 12:20:51PM -0400, Victor Duchovni wrote: > > > On Thu, Apr 07, 2011 at 05:57:24PM +0200, G?bor L?n?rt wrote: > > > > > > > > Instead, Postfix requires that you have one or more of (reject, > > > > > reject_unauth_destination, etc.) SOMEWHERE in > > > > > sender_recipient_restrictions. > > > > > > > > I have the needed rejects at the sender, but not at the recipient, > > > > because I > > > > have the idea that if I reject "unwanted" things at the sender, I am > > > > safe > > > > not to do the same restrictions at the recipient restrictions. > > > > > > You are confused. The above is simply wrong. Either the timing is > > > identical for both checks, and you gain nothing, or critical data (the > > > recipient domain) is missing at sender stage (if smtpd_delay_reject=no, > > > which is not recommended). > > > > I meant that I rejected everything at the sender restrictions which are > > based on information available at sender or maybe even earlier. Of course, > > information like recipient based things can't be rejected at the sender, > > it's done at the recipient. > > That's not how it works. Either you can't validate that the recipient domain > is yours and you are not relaying, because the check is at "MAIL FROM:" > (smtpd_delay_reject = no, which is not recommended), or else, you can make
I don't want to check if rcpt domain is mine (I have no "own" domains on this MTA). I want to accept everything if sender is authenticated, since it's a mail submit MTA, users can submit mails through it. Anyway it works now, I've tested,But I am also sure that I will modify this according your (plural "your") recommendations, since I don't want to make something "very ugly". > the check in the sender-restrictions, but "reject_unath_destination" really > belongs in the "recipient" checks, and your configuration is unnecessarily > twisted. Just move all the checks to the recipient restrictions. I don't need reject_unauth_destination, since every destination is valid :) [ok, for sure non-existing or non-fqdn domain is not, also I have an SQL based bann list for "bad ones" both for senders and rcpts as you can see later with the banned_* sql tables) > > > Ok, I've tried to do what I want (it seems to work ... but hmmm), the > > important part: > > > > smtpd_sender_restrictions = > > reject_unauth_pipelining, > > reject_non_fqdn_sender, > > reject_unknown_sender_domain, > > check_sender_access pcre:/etc/postfix/check_address_syntax.pcre, > > check_sender_access mysql:/etc/postfix/banned_senders.sql, > > check_sender_mx_access cidr:/etc/postfix/mx_access.cidr, > > permit_sasl_authenticated, > > reject_invalid_helo_hostname, > > reject_non_fqdn_helo_hostname, > > reject_unknown_helo_hostname, > > check_client_access cidr:/etc/postfix/ip_based_relay.cidr, > > check_client_access ldap:/etc/postfix/ip_based_relay.ldap, > > reject > > smtpd_recipient_restrictions = > > reject_unauth_pipelining, > > reject_non_fqdn_recipient, > > reject_unknown_recipient_domain, > > check_recipient_access pcre:/etc/postfix/check_address_syntax.pcre, > > check_recipient_access mysql:/etc/postfix/banned_rcpts.sql, > > check_recipient_mx_access cidr:/etc/postfix/mx_access.cidr, > > check_recipient_access static:OK, > > reject > > This is a broken open relay. Which domains are yours? Where is the Sorry, I can't see your point here. Why would it be open relay? Only authenticated users can send mails (as you can see in my config, "permit_sasl_authenticated" then if not authenticated, it will be rejected at the end of sender restrictions, _if_ ip_based_relay ldap or cidr table does not contain an OK result when the sender is permitted to send) Open relay - as far as I know - means that _anybody_ can send through it for any rcpts. For sure a mail submission MTA is not far from it :) only the major difference that client MTA/MUA have to authenticate itself somehow, like with ESMTP auth, or it's allowed by its IP. Or have you seen something wrong about the config above which makes it open relay really? I've tested this, users who does not smtp authenticate, and have no IP based access set in my ip_based_relay cidr and ldap tables got "rejected" so I can't see how it can be open relay, but please tell me if I am wrong somewhere, it's better to know than not :) > reject_unauth_destination check? I have no domains. This is a mail submit system as I've told. So I "have to accept" any recipients if the sender authenticated himself either with SMTP authentication or his IP is allowed to relay. This MTA has no local, virtual users, also mydestination is empty ... Anyway, meanwhile I've tested my theory, and it worked (it was tested, it's not open relay, authentication works, also my ldap/mysql/cidr etc based tables and so on) but I am sure that I will modify this according your (plural "your") recommendations, since I don't want to make something "very ugly".
