On Sun, 5 Feb 2017 12:44:07 +1300 Peter <pe...@pajamian.dhs.org> wrote:
> > http://www.postfix.org/SMTPD_ACCESS_README.html#danger > > The issue happens when you have a PERMIT result before other tests > that you want to run that might result in REJECT. The PERMIT bypasses > further tests. > > There are many solutions to this. One is to make sure not to use > PERMIT unless you really do mean to bypass further restriction > tests. Use DUNNO instead. ok > Another thing that helps is to keep your restrictions separate from > your port 25 MX traffic vs your port 587 submission traffic. Don't > put submission restrictions such as permit_sasl_authenticated or > permit_mynetworks in main.cf or your smtp line in master.cf, and don't > put restrictions that are meant for port 25 such as > reject_unauth_destination in your submission line for master.cf. When > you keep these separate then things become much easier to manage. These are incoming mailservers, no MUA's connecting to these servers. I have these particular settings now: smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination smtpd_recipient_restrictions = reject_unauth_destination reject_unverified_recipient check_policy_service unix:private/policyd-spf smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain check_sender_access hash:/etc/postfix/hash-tables/sender_access Apart from that, I deinstalled postgrey and started to use postscreen, which seems to be a good deal :) I use these settings, maybe someone can comment these: postscreen_greet_action = ignore postscreen_greet_banner = Spammers may talk now :) postscreen_access_list = permit_mynetworks cidr:/etc/postfix/hash-tables/postscreen_access postscreen_blacklist_action = enforce postscreen_dnsbl_action = drop postscreen_dnsbl_threshold = 1 postscreen_dnsbl_whitelist_threshold = -1 postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*2 list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3 list.dnswl.org=127.0.[0..255].3*-4 postscreen_pipelining_action = enforce postscreen_pipelining_enable = yes postscreen_non_smtp_command_action = enforce postscreen_non_smtp_command_enable = yes postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = yes R. -- richard lucassen http://contact.xaq.nl/
