Re: please for submission port cfg review

Thu, 03 Sep 2015 06:21:32 -0700 

On Thu, Sep 03, 2015 at 03:05:07PM +0200, Tomas Macek wrote:

> submission inet n      -       n       -       -       smtpd
>         -o smtpd_etrn_restrictions=reject
>         -o smtpd_sasl_auth_enable=yes
>         -o content_filter=smtp-amavis:[127.0.0.1]:10024
>         -o syslog_name=submission
>         -o receive_override_options=no_header_body_checks
>         -o smtpd_tls_security_level=encrypt
>         -o smtpd_tls_loglevel=1
>         -o smtpd_timeout=${stress?10}${stress:30}
>         -o smtpd_junk_command_limit=${stress?2}${stress:20}
>         -o smtpd_soft_error_limit=${stress?5}${stress:5}
>         -o smtpd_hard_error_limit=${stress?7}${stress:7}
>         -o smtpd_starttls_timeout=${stress?7}${stress:60}
>         -o address_verify_poll_count=${stress?1}${stress:3}
>         -o 
> smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject

You mistake is overriding "smtpd_client_restrictions", you should
override "smtpd_recipient_restrictions", which is where anti-relay
control is implemented in Postfix.  Also you SHOULD NOT include
'permit_auth_destination' on the submission port.  Whether amavis
is appropriate for submission is your call (I see you've disabled header
and body checks).

      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o smtpd_data_restrictions=
      -o smtpd_end_of_data_restrictions=
      # Uncomment For Postfix 2.10 or later
      # -o smtpd_relay_restrictions=

The stock master.cf file distributed with Postfix source contains:

    #submission inet n       -       n       -       -       smtpd
    #  -o syslog_name=postfix/submission
    #  -o smtpd_tls_security_level=encrypt
    #  -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_reject_unlisted_recipient=no
    #  -o smtpd_client_restrictions=$mua_client_restrictions
    #  -o smtpd_helo_restrictions=$mua_helo_restrictions
    #  -o smtpd_sender_restrictions=$mua_sender_restrictions
    #  -o smtpd_recipient_restrictions=
    #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    #  -o milter_macro_daemon_name=ORIGINATING

That's usually the best starting point for further customization.
Note that this uses indirection via "mua_*_restrictions" to leave
the actual definitions up to main.cf, and should perhaps do likewise
for "data" and "end_of_data" restrictions.  Because this is taken
from Postfix 3.1 (snapshot) it uses "relay" rather than "recipient"
restrictions.

You might find similar commented-out content in $daemon_directory/master.cf
for your Postfix version.

-- 
        Viktor.

Reply via email to