On Fri, 4 Sep 2015, Tomas Macek wrote:
On Fri, 4 Sep 2015, Viktor Dukhovni wrote:
On Fri, Sep 04, 2015 at 09:44:50AM +0200, Tomas Macek wrote:
> Here is the result cfg:
>
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o content_filter=smtp-amavis:[127.0.0.1]:10024
> -o syslog_name=submission
> -o receive_override_options=no_header_body_checks
> -o smtpd_tls_security_level=may
Why "may", rather than "encrypt"?
Oops, that settings was there because of testing. I'm sometimes putting the
smtp commands to the telnet cmd line. This will be changed for sure.
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o
> smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/block_localhost,check_policy_service,inet:127.0.0.1:24575,permit_mynetworks,permit_sasl_authenticated,reject
Why not set this to "$mua_recipient_restrictions", and define the
latter in main.cf?
Fine, thanks, I'll change it.
> The "check_policy_service,inet:127.0.0.1:24575" is per client IP
> counter,
> that counts how many emails were sent by particular IP address in last X
> seconds. It sometimes helps to report misused client and/or password and
> some other things. Maybe this should be added rather to the
> smtpd_client_restrictions?
Client IPs are not so interesting in botnets, much better to
aggregate by SASL login name (and rate limit potentially compromised
accounts).
OK, thanks, I'll think about it.
Thank you for help!
Tomas
Hi, now I'm using above configuration and I'm trying to setup better the
smtpd_sender_restrictions option. I tried it already with this:
-o smtpd_sender_restrictions=reject
or like this:
-o smtpd_sender_restrictions=reject_unknown_sender_domain
which should according to documentation mean, that when someone puts bad
MAIL FROM domain part, it's rejected. But on my system it isn't, but I
can't see why.
The first example should reject any mail after any "mail from:", the
second should reject mail from any bogus domain. In both cases my system
says "250 2.1.0 Ok" like when the smtpd_sender_restrictions option was
skipped.
Does anyone has any ideas?
Regards, Tomas
