Re: Configure postfix to reject forged mail?

Wed, 07 May 2014 11:34:34 -0700

I know. "check_sender_access" does always check MAIL_FROM, regardless of in which access context they are in. (else it would be check_recipient_access or check_client_access) smtpd_recipient_restrictions can contain "sender" rejections too, like "reject_unknown_sender_domain". But a sender access policy cannot contain a recipient policy (like reject_unauth_destination) because MAIL_FROM comes before RCPT_TO (unless smtpd_delay_reject is set to yes)
Did test the policy carefully both using a external tool (that queries the server externally) and internally, and all test cases did pass thorugh with the result I wanted. 
This tool is GREAT to test complex relay restrictions:
http://smtper.nanogenesis.fr/
Of course, I will never put anything else than something I want to relay, in the "access" file, eg only "permit_mynetworks" and such.
-----Ursprungligt meddelande----- From: Viktor Dukhovni 
Sent: Wednesday, May 07, 2014 8:10 PM
To: [email protected]
Subject: Re: Configure postfix to reject forged mail?

On Wed, May 07, 2014 at 07:58:26PM +0200, Sebastian Nielsen wrote:


Works EXCELLENTLY. Did fine-tune it a little bit, but then it works
excellently now.


The fine-tuning makes it likely that your system will be an open
relay some day.  I chose smtpd_sender_restrictions for this
deliberately.  Do NOT use sender-based whitelisting in relay
restrictions.


smtpd_relay_restrictions = check_sender_access hash:/etc/postfix/access,
reject_unauth_destination
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/access, reject_unauth_destination
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access
mynetworks = 127.0.0.0/8 192.168.0.0/16

/etc/postfix/access:
sebbe.eu permit_mynetworks, reject


DO NOT use a single generic access(5) file for semantically different
access checks.  Sender lookups are not recipient lookups are not
client lookups, ...

I used an access table dedicated to sender policy.  The fine-tuning
removed all the carefully considered safety measures.

--
Viktor.

Reply via email to