On Thu, Sep 03, 2015 at 03:05:07PM +0200, Tomas Macek wrote:
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o syslog_name=submission
-o receive_override_options=no_header_body_checks
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_loglevel=1
-o smtpd_timeout=${stress?10}${stress:30}
-o smtpd_junk_command_limit=${stress?2}${stress:20}
-o smtpd_soft_error_limit=${stress?5}${stress:5}
-o smtpd_hard_error_limit=${stress?7}${stress:7}
-o smtpd_starttls_timeout=${stress?7}${stress:60}
-o address_verify_poll_count=${stress?1}${stress:3}
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject
You mistake is overriding "smtpd_client_restrictions", you should
override "smtpd_recipient_restrictions", which is where anti-relay
control is implemented in Postfix. Also you SHOULD NOT include
'permit_auth_destination' on the submission port. Whether amavis
is appropriate for submission is your call (I see you've disabled header
and body checks).
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
# Uncomment For Postfix 2.10 or later
# -o smtpd_relay_restrictions=
The stock master.cf file distributed with Postfix source contains:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
That's usually the best starting point for further customization.
Note that this uses indirection via "mua_*_restrictions" to leave
the actual definitions up to main.cf, and should perhaps do likewise
for "data" and "end_of_data" restrictions. Because this is taken
from Postfix 3.1 (snapshot) it uses "relay" rather than "recipient"
restrictions.
You might find similar commented-out content in
$daemon_directory/master.cf
for your Postfix version.
--
Viktor.
I appologize myself, that I'm not following the original thread, because I
accidentaly removed the original message. I'm sorry.
Here is the result cfg:
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=smtp-amavis:[127.0.0.1]:10024
-o syslog_name=submission
-o receive_override_options=no_header_body_checks
-o smtpd_tls_security_level=may
-o smtpd_tls_loglevel=1
-o smtpd_timeout=${stress?10}${stress:30}
-o smtpd_junk_command_limit=${stress?2}${stress:20}
-o smtpd_soft_error_limit=${stress?5}${stress:5}
-o smtpd_hard_error_limit=${stress?7}${stress:7}
-o smtpd_starttls_timeout=${stress?7}${stress:60}
-o address_verify_poll_count=${stress?1}${stress:3}
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o
smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
Hope this is much better, but still any comments appreciated!
I still left the Amavis check, if I remove it, I will remove the
"content_filter" and "receive_override_options=no_header_body_checks".
This allows the Amavis to see the message untouched as it came to the
system.
I added the "check_recipient_access,hash:/etc/postfix/block_localhost" -
this contains access table that should prevent anyone from mailing to
root@localhost and some other similar destinations. Some strange clients
do it.
The "check_policy_service,inet:127.0.0.1:24575" is per client IP counter,
that counts how many emails were sent by particular IP address in last X
seconds. It sometimes helps to report misused client and/or password
and some other things. Maybe this should be added rather to the
smtpd_client_restrictions?
Many thanks, Tomas
