Hello all,
After modifying my config to work the way I want it to after the switch
from webroot to postini, I'd like a sanity check on my modified
restrictions to make sure I didn't make some glaring mistake that is
going to bite me (full postconf -n at the end of this message)...
Here are my current restrictions (with comments to explain the purpose
and contents of the maps, all still under smtpd_recipient_restrictions):
smtpd_recipient_restrictions =
# these two maps only have REJECTs, no OKs allowed
check_recipient_access ${hash}/moved-employees,
check_recipient_access ${hash}/x-employees,
permit_sasl_authenticated,
# this map only has PERMIT_AUTH_DESTINATIONs for a few ancient client
# devices that don't support SMTP_AUTH, and a final OK for localhost
# (127.0.0.1) at the end
check_client_access ${cidr}/allowed_clients_local.cidr,
# this map is to prevent messages from/to one of our domains but has
# some DUNNOs for a few exceptions, and a final REJECT, no OKs allowed
check_sender_access ${hash}/nospoof,
# this map only has REJECTs to block external access to internal only
# mail list addresses
check_recipient_access ${hash}/blocked_recipients,
# this map only has PERMIT for postini's network and a final REJECT
# telling other clients to use our MX
check_client_access ${cidr}/allowed_clients_external.cidr,
permit_mynetworks,
reject_unauth_destination,
# this map only has DISCARDs or REJECTs
check_sender_access ${hash}/blocked_senders,
My main question is, would it make more sense to move all of the
check_mumble restrictions that come *before* reject_unauth_destination
into their appropriate smtpd_mumble_restrictions class? And if I did
this, would I then have to change smtpd_delay_reject to no?
Thanks,
Charles
myhost : Fri Mar 16, 12:41:11 : ~
# postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_queue_lifetime = 18h
bounce_size_limit = 1
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
cidr = cidr:${maps_dir}/cidr
config_directory = /etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
hash = hash:${maps_dir}/hash
home_mailbox = .maildir/
inet_protocols = ipv4
maps_dir = /etc/postfix/maps
maximal_queue_lifetime = 1d
message_size_limit = 30720000
mydomain = media-brokers.com
myhostname = smtp.media-brokers.com
mynetworks = 127.0.0.0/8 192.168.1.4
mysql = proxy:mysql:${maps_dir}/mysql
parent_domain_matches_subdomains =
recipient_delimiter = +
relay_domains =
relayhost = [outbounds6.obsmtp.com]
sender_bcc_maps = ${hash}/sender_bcc
smtp_fallback_relay = [smtp.comcast.net]
smtpd_hard_error_limit = 3
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
${hash}/moved-employees, check_recipient_access ${hash}/x-employees,
permit_sasl_authenticated, check_client_access
${cidr}/allowed_clients_local.cidr, check_sender_access ${hash}/nospoof,
check_recipient_access ${hash}/blocked_recipients, check_client_access
${cidr}/allowed_clients_external.cidr, permit_mynetworks,
reject_unauth_destination, check_sender_access ${hash}/blocked_senders,
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mbiCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/mbiCerts/smtp_key.pem
smtpd_tls_security_level = may
transport_maps = ${hash}/transport
vacation_destination_recipient_limit = 1
virtual_alias_maps = ${mysql}/vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = ${mysql}/vmd.cf
virtual_mailbox_maps = ${mysql}/vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
myhost : Fri Mar 16, 12:41:19 : ~
#
--
Best regards,
Charles
