On 8/31/2013 2:55 AM, LuKreme wrote:
> Is there any downside to using reject_unauth_destination? I had it commented
> out but I did not have a note on why it was disabled. Reading the
> description, it seems like it should always be turned on (or at least that it
> couldn't possibly hurt)?
>
> <http://www.postfix.org/postconf.5.html#reject_unauth_destination>
reject_unauth_destination is what keeps you from being an open
relay, and is required in either smtpd_recipient_restrictions or
(postfix 2.10 and newer) smtpd_relay_restrictions.
I expect you commented it out in smtpd_recipient_restrictions when
you upgraded to postfix 2.10, but it's a very cheap test and there's
no reason to remove it.
>
> Is it even going to trigger with Postscreen in place?
postscreen doesn't do any destination tests, and by design cannot
prevent relaying.
I would recommend leaving it in smtpd_recipient_restrictions, and
you MUST leave it in smtpd_relay_restrictions.
>
> (for now I've stuck warn_if_ in front of it)
>
> my smtpd_*_restrictions (mail_version = 2.10.0)
>
> smtpd_data_restrictions = reject_unauth_pipelining,
> reject_multi_recipient_bounce, permit
>
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname, permit
>
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_invalid_hostname,
> warn_if_reject_unauth_destination, reject_unlisted_recipient,
> reject_unlisted_sender, reject_unknown_reverse_client_hostname,
> check_client_access hash:$config_directory/access, permit
>
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> reject_unauth_destination
the above is acceptable.
>
>
> Can I just go with
>
> smtpd_recipient_restrictions = reject_unauth_destination,permit
> smtpd_relay_restrictions =
This will work -- you can even drop the "permit", which is implied
-- but most folks find it useful to prepend permit_mynetworks even
if mynetworks only contains localhost IPs.
>
> and in master.cf
> submission inet n - n - - smtpd
> -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
> -o smtpd_sasl_security_options=noanonymous
OK.
> -o smtpd_sasl_local_domain=$myhostname
I don't think this parameter is used by dovecot. (unused parameters
rarely cause problems other than operator confusion)
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
you'll need to override the other smtpd_*_restrictions set in main.cf.
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=submit-tls
Good.
>
> ?
>
> and is client_restrictions the best choice for submission? I've see some
> confs have both
>
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions=permit_sasl_authenticated,reject
>
> Why?
>
Remember, for mail to be accepted, it must pass *each* of the
smtpd_*_restrictions sections. Also remember that every master.cf
service inherits {built-in defaults + all main.cf settings} before
applying any -o overrides.
How you arrange your submission settings is up to you. I like to
explicitly set all the smtpd_*_restrictions in submission, even if
most of them are empty, to prevent surprises later when I change
something in main.cf.
I think the minimum requirements for submission can be stated as 1)
allow all AUTH users, 2) reject everyone else. With widely used
postfix main.cf smtpd_*_restrictions settings that prepend
everything with "permit_mynetworks, permit_sasl_authenticated", (and
thereby allow AUTH on port 25) it's sufficient to use "-o
smtpd_ANYTHING_restrictions=permit_sasl_authenticated,reject" and
still meet the minimum requirements.
When you change your main.cf so that AUTH is not allowed on port 25,
then additional settings are required in master.cf/submission to
insure you don't reject AUTH users.
-- Noel Jones
