On Fri, Oct 26, 2012 at 11:06:00PM +0200, Freek Dijkstra wrote:
> smtpd_recipient_restrictions =
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
You generally don't need this one except on port 587, usually after
permit_auth_destination. You should not reject mail to your own
domains just because of a (be it unlikely) transient DNS glitch.
If however a separate submission service is not a good fit, you
can leave it there, as the odds of a problem are relatively low.
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
Fine, you're not an open relay, provided your mynetworks settings
is sensible and none of your SASL users have weak passwords.
> warn_if_reject check_sender_access hash:/etc/postfix/sender_access,
> warn_if_reject check_client_access hash:/etc/postfix/client_access,
> warn_if_reject check_policy_service unix:private/policy-spf,
These check the envelope sender address, then the client IP address,
and finally the SPF policy service. Pretty simple really.
> warn_if_reject reject_rbl_client relays.ordb.org,
> warn_if_reject reject_rbl_client sbl.spamhaus.org,
IIRC relays.ordb.org is LONG dead, or if not dead, is not a good
choice for most sites.
As for spamhaus, use "zen.spamhaus.org" not "sbl.spamhaus.org".
> Second question: I'm currently using check_sender_access to block email
> coming from non-existing user addresses at my domain. However, this only
> checks the MAIL FROM address. Is it also possible to create a rule which
> checks the From: header. (presumably such check should occur in
> smtpd_data_restrictions or smtpd_end_of_data_restrictions?)
No, not without a milter or proxy filter.
--
Viktor.
