Re: Restrictions after postscreen

Tue, 14 May 2013 07:50:26 -0700 

On Mon, May 13, 2013 at 6:42 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:

> Don't forget that all the other main.cf parameters are still in
> effect on your "submission" entry; likely you're seeing unintended
> spillover.
>
> I suggest setting ALL the smtpd_*_restrictions entries for
> submission in master.cf so you don't have unexpected results.
>
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o milter_macro_daemon_name=ORIGINATING
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_recipient_restrictions=
>   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject


That was the final piece, Noel. Thx. Explicitly setting empty values for
those options for submission fixed whatever unintended spillover I was
experiencing.

Thanks to everyone's help here, I now have a slightly better understanding
of how these restrictions should work, and a much cleaner and easier to
understand list of recipient restrictions:

main.cf:

...
# SMTPD Restrictions
smtpd_helo_required = yes
disable_vrfy_command = yes

smtpd_recipient_restrictions =
        reject_invalid_helo_hostname,
        warn_if_reject reject_non_fqdn_helo_hostname,
        reject_unknown_reverse_client_hostname,
        warn_if_reject reject_unknown_helo_hostname,
        check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
        check_helo_access hash:/etc/postfix/helo_access,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_client dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,
        permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
        permit

smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

smtpd_data_restrictions = reject_unauth_pipelining
...

master.cf:
...
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=
  -o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o smtpd_end_of_data_restrictions=
...

Thanks again!

SteveJ

Reply via email to