On 7/19/2016 2:53 PM, Benny Pedersen wrote:
> sure, where is postconf -n ? :=)
>
> its simple with postfix to reject own domains in postfix port 25, and
> reqire sasl auth on port 587 and port 465
>
> it does not really need spf
The server is *just* a spam-filtering relay. It does no authentication.
Authenticated sending is done via the Exchange server ... which then
relays through this pair of mail servers. Port 25 is all there is. Any
email generated by local servers uses this pair of servers to send.
I do have a complete list of all valid local relay destination
addresses, which gets autogenerated every 15 minutes. I do have logic
in the autogeneration to limit the number of lines that can be deleted
automatically, to prevent accidental errors. This list is used by
relay_recipient_maps.
Yes, I know all about the evils of Exchange, but I don't get a choice in
that department. That's what the company uses for corporate email
accounts, and it's not going to change. I'm using postfix so that SMTP
on Exchange is not exposed directly to the Internet.
Here's a slightly redacted postconf -n. I replaced our domain name with
REDACTED and some public IP addresses with OBFUSCATED:
========================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 524288000
maximal_queue_lifetime = 2d
message_size_limit = 52428800
mydestination = nexus1.REDACTED.com, localhost.REDACTED.com,
localhost.localdomain, localhost
myhostname = nexus1.REDACTED.com
mynetworks = 10.2.1.39 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 OBFUSCATED/24 OBFUSCATED/24 OBFUSCATED/28 OBFUSCATED
OBFUSCATED/23 OBFUSCATED OBFUSCATED OBFUSCATED OBFUSCATED
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/client_access, cidr:/etc/postfix/postcreen_access,
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 4h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, hash:/etc/postfix/local_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 8
smtpd_client_connection_rate_limit = 12
smtpd_client_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_client_access
regexp:/etc/postfix/client_regexp, check_client_access
cidr:/etc/postfix/client_access, reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
smtpd_data_restrictions = check_client_access
cidr:/etc/postfix/rule_breakers, reject_unauth_pipelining,
permit_mynetworks, reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 15
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, sleep 2,
check_recipient_access hash:/etc/postfix/spam_lovers,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unlisted_recipient,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/certs/local/wildcard.combined.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
========================
Basically, if something doesn't pass permit_mynetworks, and the envelope
sender (not the From: header) is an address with a domain name that's
mentioned in hash:/etc/postfix/local_domains, I want to reject the
message. Is that possible? If necessary, I could create a second copy
of local_domains that has "reject" instead of "ok" on all lines.
Thanks,
Shawn
