On 3/12/2013 5:11 PM, Alex wrote: > Hi, > >>>>> or is it still related to the unresolvable >>>>> appl...@tank.sub1.domain.com host as I initially thought? >> >> You said it was still rejected, but didn't show the new log entry >> demonstrating the new problem. Without the new log entry, we can't >> tell what happened. > > I'm sorry, I misunderstood. I meant that it's now working because I > added the IP to mynetworks. I'm otherwise still having the problem. > > You had said that I likely have another reject_unknown_sender_domain > somewhere else in my config, and indeed, I do. It's under > smtpd_sender_restrictions: > > smtpd_sender_restrictions = permit_sasl_authenticated, > permit_mynetworks, > reject_non_fqdn_sender, > reject_unknown_sender_domain, > permit
Restrictions are always done in order, so this is what was rejecting the mail. When you added the client IP to mynetworks, the permit_mynetworks above "protected" the client from this reject_unknown_sender_domain check. > > If I remove it here, does it affect sasl users? Currently, sasl users are subject to this test, since there is no permit_sasl_authenticated before it. > > You've also suggested that check_client_access and check_sender_access > must be AFTER reject_unauth_destination, and BEFORE > reject_unknown_sender_domain, if I understood correctly. I was speaking specifically about the whitelist tables. Since restrictions are executed in the order you specify, it should be obvious that whitelist "permit" rules must come before "reject" rules. The reject_unauth_destination rule is a special case -- that's your open relay protection. Putting whitelists above it can make you an open relay. http://www.postfix.org/SMTPD_ACCESS_README.html#danger With postfix 2.10 and newer this is clearer since relay protection should be in smtpd_relay_restrictions, and smtpd_recipient_restrictions can concentrate on anti-spam. > I've now > deleted those "special" files I had, and moved my main access files > between those two restrictions. Is this necessary because the > destination must first be validated before the sender is validated? The idea is to reject mail from unauthorized users or clients that is addressed off-site. > > I've made these changes and included my new postconf below. Should I > have reject instead of permit at the end of > smtpd_recipient_restrictions? Using reject turns you into a private mail server -- only clients specifically permitted can send you mail. You don't want that for a general-purpose MTA. > > delay_warning_time = 10d Yikes! 10 days?? Seriously? I see you've also set your maximal_queue_lifetime to 10d. Aside from the excessive time, warning the user the mail wasn't delivered at the same time a bounce/DSN is sent to them is probably not helpful. Typically the warn time should be from a few hours to a day or so. While there aren't any firm rules about this, the whole point of warning the user early is so they can try an alternate method to contact the recipient. > disable_vrfy_command = yes > fallback_relay = > header_checks = pcre:/etc/postfix/header_checks.pcre > pcre:/etc/postfix/header_checks-jimsun.pcre Are the jimsum checks still effective? I thought these were years old, and I wouldn't expect them to do much good. > initial_destination_concurrency = 20 The default is 5. Don't change it without good reason. > maximal_queue_lifetime = 10d The default 5 days should be sufficient for the vast majority of the internet. 10 days might be appropriate if you're talking to an outpost with a solar panel and a satellite phone. > message_size_limit = 13312000 > mime_header_checks = pcre:/etc/postfix/mime_header_checks > mydestination = $myhostname, localhost.$mydomain > mydomain = guardiandigital.com > myhostname = nocmon.guardiandigital.com > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 192.168.6.0/24, > 68.111.222.40/29, 64.111.222.0/27 As a general rule, you shouldn't add internet IPs to mynetworks unless they are off-site locations controlled directly by you. > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net*2 b.barracudacentral.org*1 > postscreen_dnsbl_threshold = 2 Looking at the scores you've set, you might as well remove barracudacentral unless you just like to see it in the logs. Or maybe you were intending to add a couple other 1-point RBL's? > relay_domains = $mydestination, $transport_maps relay_domains is for domains you're the MX for, but are delivered elsewhere, such as a downstream mail store. transport_maps does not belong here; if you add a transport for eg. hotmail.com, you've made yourself an open relay to that destination. Typically this should be set explicitly empty # main.cf relay_domains = > smtp_use_tls = yes Old syntax. Prefer to use: smtp_tls_security_level = may > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > reject_non_fqdn_sender, reject_unlisted_recipient, > permit_mynetworks, reject_unauth_destination, > check_client_access hash:/etc/postfix/client_checks, > check_sender_access hash:/etc/postfix/sender_checks, Ok. I notice you don't have permit_sasl_authenticated here, which forces sasl users to use the submission port. That's fine. > reject_unknown_recipient_domain, After reject_unauth_destination, the only recipient domain left is your own. You should either remove this, or move it up higher. > reject_rhsbl_reverse_client mykey.dbl.dq.spamhaus.net, > reject_rhsbl_sender mykey.dbl.dq.spamhaus.net, > reject_rhsbl_helo mykey.dbl.dq.spamhaus.net > check_helo_access pcre:/etc/postfix/helo_checks.pcre, > reject_invalid_helo_hostname, > check_recipient_access pcre:/etc/postfix/relay_recips_segtravel, > check_recipient_access pcre:/etc/postfix/relay_recips_access, > permit Ok. > smtpd_sender_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_non_fqdn_sender, > reject_unknown_sender_domain, permit You might as well move reject_unknown_sender_domain to smtpd_recipient_restrictions and just empty this section. > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = > btree:/var/lib/postfix/smtpd_tls_session_cache > tls_random_source = dev:/dev/urandom > transport_maps = hash:/etc/postfix/transport > virtual_alias_maps = hash:/etc/postfix/virtual-segtravel Ok. > > Thanks, > Alex > -- Noel Jones
