li...@rhsoft.net wrote:
in general: postconf -n missing
Yes, of course, forgot to add, this is for one of our two gateways I
need to set this up on:
root@mx2:~ # postconf -n
address_verify_map = btree:$data_directory/verify
address_verify_negative_cache = no
address_verify_poll_count = 1
alias_maps = hash:/usr/local/etc/postfix/aliases
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
canonical_maps = ldap:/usr/local/etc/postfix/ldap/canonical.cf
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 4h
disable_vrfy_command = yes
greylisting = permit_sasl_authenticated, permit_mynetworks,
check_client_access cidr:/usr/local/etc/postfix/relay_clients,
check_client_access ldap:/usr/local/etc/postfix/ldap/relay_clients.cf,
check_client_access hash:/usr/local/etc/postfix/client_checks,
check_helo_access hash:/usr/local/etc/postfix/helo_checks,
reject_invalid_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_client
dbl.spamhaus.org, reject_rbl_client b.barracudacentral.org,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
cidr.bl.mcafee.com, check_recipient_access
pcre:/usr/local/etc/postfix/recipient_checks.pcre,
check_recipient_access ldap:/usr/local/etc/postfix/ldap/verification.cf,
check_policy_service inet:127.0.0.1:10023
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_name = WebTent ESMTP Postfix Internet Mail Exchange
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 1000s
maximal_queue_lifetime = 1d
message_size_limit = 51200000
milter_default_action = accept
mynetworks = 127.0.0.0/8, x.x.x.0/26, x.y.z.0/27
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
readme_directory = /usr/local/share/doc/postfix
relay_domains = ldap:/usr/local/etc/postfix/ldap/transport.cf
restrictive = permit_sasl_authenticated, permit_mynetworks,
check_client_access cidr:/usr/local/etc/postfix/relay_clients,
check_client_access ldap:/usr/local/etc/postfix/ldap/relay_clients.cf,
check_client_access hash:/usr/local/etc/postfix/client_checks,
check_helo_access hash:/usr/local/etc/postfix/helo_checks,
reject_invalid_hostname, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org,
reject_rbl_client b.barracudacentral.org, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cidr.bl.mcafee.com,
check_recipient_access
pcre:/usr/local/etc/postfix/recipient_checks.pcre,
check_recipient_access ldap:/usr/local/etc/postfix/ldap/verification.cf,
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname $mail_name USE OF THIS SERVER INDICATES THAT
YOU HAVE READ AND AGREED TO OUR AUP. UCE IS NOT ALLOWED.
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access
ldap:/usr/local/etc/postfix/ldap/class.cf permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_client_access ldap:/usr/local/etc/postfix/ldap/relay_clients.cf,
defer_unauth_destination
smtpd_restriction_classes = restrictive, greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_client_access
hash:/usr/local/etc/postfix/client_checks, check_sender_access
hash:/usr/local/etc/postfix/sender_access, reject_unknown_sender_domain,
reject_non_fqdn_sender, reject_unknown_address, check_sender_access
ldap:/usr/local/etc/postfix/ldap/verification-sender.cf
smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/postfix_public_cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/ssl/postfix_private_key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
transport_maps = ldap:/usr/local/etc/postfix/ldap/transport.cf
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
in case of the problem: don't allow senders where you would not accept
incoming mail for (that's a general thing for a sane MTA setup) and use
"reject_authenticated_sender_login_mismatch" *before*
permit_sasl_authenticated
Will this work since I have users that relay by IP address listed in an
LDAP ipHost. Those users would not be allowed to send without auth?
P.S: you did something terrible wrong because reply to your message
leads in 4 URBL hits!
URIBL_BLACK
URIBL_DBL_SPAM
URIBL_JP_SURBL
URIBL_WS_SURBL
Thanks! I'm sending and receiving these list messages from a office
server that I'm sure is locked down very well. ISP recently changed our
IP, but this list is URI based, using my domain webtent.org? I tried a
lookup at uribl.com and don't find listed.
--
Robert
