Re: safe setup of smtpd_relay_restrictions and smtpd_recipient_restrictions

Tue, 19 Mar 2013 20:41:50 -0700 

On 3/19/2013 7:11 PM, Steve Jenkins wrote:
> On Tue, Mar 19, 2013 at 4:30 PM, Matthew Hall <mhcomput...@gmail.com
> <mailto:mhcomput...@gmail.com>> wrote:
> 
>     It seems like I keep seeing you on every crypto and security list!
>     Thanks for being there and assisting people so often.
> 
> 
>  Based on the feedback from Viktor, I've made some similar changes
> in my 2.10 config. It's close to Matthew's, but different enough
> that I'd appreciate a quick sanity check:
> 
> # SMTPD Restrictions
> smtpd_helo_required = yes
> disable_vrfy_command = yes
> smtpd_recipient_restrictions =
>         reject_invalid_hostname,
>         warn_if_reject reject_non_fqdn_hostname,
>         warn_if_reject reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unknown_sender_domain,
>         warn_if_reject reject_unknown_reverse_client_hostname,
>         warn_if_reject reject_non_fqdn_helo_hostname,
>         warn_if_reject reject_invalid_helo_hostname,
>         warn_if_reject reject_unknown_helo_hostname,
>         reject_unauth_pipelining,
>         check_reverse_client_hostname_access
> pcre:/etc/postfix/fqrdns.pcre,
>         check_helo_access hash:/etc/postfix/helo_access,
>         check_sender_access hash:/etc/postfix/check_backscatterer,
>         check_sender_access hash:/etc/postfix/access,
>         reject_rbl_client b.barracudacentral.org
> <http://b.barracudacentral.org>,
>         reject_rbl_client zen.spamhaus.org <http://zen.spamhaus.org>,
>         reject_rbl_client bl.spamcop.net <http://bl.spamcop.net>,
>         reject_rbl_client psbl.surriel.com <http://psbl.surriel.com>,
>         reject_rhsbl_client dbl.spamhaus.org <http://dbl.spamhaus.org>,
>         reject_rhsbl_sender dbl.spamhaus.org <http://dbl.spamhaus.org>,
>         reject_rhsbl_helo dbl.spamhaus.org <http://dbl.spamhaus.org>,
>         permit

I don't notice any permit_mynetworks or permit_sasl_authenticated
above.  If users submit mail here, you probably want those permit_*
rules near the top of the list.

> 
> smtpd_relay_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination

Perfect.  The new smtpd_relay_restrictions is intended for relay
control only, not to be polluted with anti-UCE controls.




  -- Noel Jones

Reply via email to