Re: smtp_relay_restrictions

Thu, 07 Apr 2016 06:01:35 -0700 

follow-up:
If I put anything other than, at a minimum, permit_sasl_authenticated I get the following error message - 


/Apr  7 08:53:52 bilbo postfix/submission/smtpd[15279]: fatal: in 
parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, 
specify at least one wor//king instance of: reject_unauth_destination, 
defer_unauth_destination, reject, defer, defer_if_permit or 
check_relay_domains/



On 2016-04-07 8:44 AM, John Allen wrote:



I am trying to work out what parameters to add to 
/smtpd_relay_restrictions, /both in main.cf and master.cf.


 1. We do not allow relaying by any means!
 2. In-house users must be registered, use our domains and port 587
    (submission) to send.

    I use /check_sender_access/ with a table in the form "example.com 
    permit_sasl_authenticated, reject" to enforce these rules (thanks

    to a Sebastian Nielsen for the idea) in the submission section of
    master.cf.
 3. We accept mail from the rest of the world on port 25 (smtp).


Currently in main.cf I have reject_unauth_destination as the only 
parameter of smtpd_relay_restrictions.



In master.cf I have had to add permit_sasl_authenticated, reject to 
the smtpd_relay_restrictions, this seems to be odd as I am using a 
more "restrictive" version of this in recipient_ restrictions. If I 
leave it blank/unset all mail on 587 gets rejected with "*/An error 
occurred while sending mail. The mail server responded: /**/5.7.1 
<j...@klam.ca>: Recipient address rejected: Access denied. /**/Please 
check the message recipient "j...@klam.ca" and try again.



/*What would be a*//*/better/ set of parameter for both main.cf and 
master.cf.



=======main.cf========*//
*alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 65536
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 20
delay_warning_time = 12h
disable_vrfy_command = yes
header_size_limit = 32768
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4, ipv6
mailbox_transport = lmtp:unix:private/dovecot-lmtp
message_size_limit = 32768000
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks.pcre
mydestination = localhost, localhost.localdomain, localdomain
mydomain = klam.ca
myhostname = smtp.$mydomain
mynetworks = 127.0.0.0/8, [::1]/128
myorigin = $mydomain
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_disable_vrfy_command = $disable_vrfy_command
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2

    bl.spameatingmonkey.net*2 bl.ipv6.spameatingmonkey.net*2 
bl.spamcop.net

    dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
    list.dnswl.org=127.[0..255].[0..255].0*-2
    list.dnswl.org=127.[0..255].[0..255].1*-3
    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_helo_required = yes
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
postscreen_use_tls = $smtpd_use_tls
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/maps/relocated
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS,
    kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_unknown_reverse_client_hostname,
    reject_rbl_client zen.spamhaus.org, reject_rbl_client
    b.barracudacentral.org, reject_rbl_client bl.spameatingmonkey.net,
    reject_rbl_client bl.ipv6.spameatingmonkey.net, reject_rbl_client
    dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net
smtpd_data_restrictions = reject_multi_recipient_bounce,
    reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname, check_helo_access
    pcre:/etc/postfix/maps/helo_checks.pcre
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
    reject_unknown_recipient_domain, check_recipient_access
    pcre:/etc/postfix/maps/recipient_checks.pcre, check_recipient_access
    hash:/etc/postfix/maps/recipient_checks, check_policy_service
    inet:127.0.0.1:10023
smtpd_relay_restrictions = reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = reject_non_fqdn_sender,
    reject_unknown_sender_domain, check_sender_access
    hash:/etc/postfix/maps/sender_checks
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/maps/transport
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/virtual_alias_map.sql,
    proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_map.sql

virtual_mailbox_domains = 
proxy:pgsql:/etc/postfix/sql/virtual_domain_map.sql
virtual_mailbox_maps = 
proxy:pgsql:/etc/postfix/sql/virtual_mailbox_map.sql,

proxy:pgsql:/etc/postfix/sql/virtual_alias_domain_mailbox_map.sql
virtual_transport = lmtp:unix:private/dovecot-lmtp

=======main.cf========*//*

smtp       inet  n       -       n       -       1 postscreen
smtpd      pass  -       -       n       -       -       smtpd
    -o cleanup_service_name=pre-cleanup
pickup     fifo  n       -       n       60      1       pickup
    -o cleanup_service_name=pre-cleanup
submission inet  n       -       n       -       30      smtpd
    -o content_filter=smtp-amavis:[127.0.0.1]:10026
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/dovecot-auth
    -o smtpd_sasl_local_domain=$mydomain
    -o broken_sasl_auth_clients=yes
    -o smtpd_sasl_authenticated_header=yes
    -o smtpd_client_restrictions=
    -o smtpd_data_restrictions=
    -o smtpd_etrn_restrictions=reject
    -o smtpd_helo_restrictions=

    -o {smtpd_recipient_restrictions=check_sender_access 
hash:/etc/postfix/maps/submission_access}

    -o {smtpd_relay_restrictions=permit_sasl_authenticated, reject}
    -o smtpd_sender_restrictions=
    -o smtpd_client_connection_count_limit=15
    -o smtpd_client_connection_rate_limit=80
    -o smtpd_delay_reject=yes
    -o cleanup_service_name=pre-cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       - trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
    -o smtp_bind_address=74.116.186.178
    -o smtp_bind_address6=2606:6d00:100:4301::1:200
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
smtp-amavis unix -       -       n       -       4       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o smtp_tls_note_starttls_offer=no
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o content_filter=
    -o mynetworks=127.0.0.0/8
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=permit_mynetworks,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o local_header_rewrite_clients=
    -o local_recipient_maps=

    -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

    -o smtpd_tls_security_level=none
    -o local_recipient_maps=
    -o relay_recipient_maps=
pre-cleanup unix n       -       n       -       0       cleanup
    -o virtual_alias_maps=
cleanup    unix  n       -       n       -       0       cleanup
    -o mime_header_checks=
    -o nested_header_checks=
    -o header_checks=
    -o body_checks=
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy































					Reply via email to