Re: SASL auth only on port 25

Wed, 19 Jul 2017 10:05:04 -0700 

On Wed, Jul 19, 2017 at 05:44:56PM +1000, Simon Wilson wrote:
> >>>On Apr 27, 2017, at 12:45 PM, Simon Wilson 
> >>><si...@simonandkate.net> wrote:
> I rectified the order as Viktor suggested back in April, and all 
> now working to plan, including a client IP filter in the 
> check_client_access file for local servers to skip amavisd. So I 
> now have:
> 
> smtpd_recipient_restrictions =
>         check_client_access hash:/etc/postfix/client_checks,
>         permit_mynetworks,
>         check_recipient_access hash:/etc/postfix/recipient_access.outside,
>         reject_unauth_destination,
>         check_sender_access hash:/etc/postfix/sender_access,
>         reject_unauth_pipelining,
>         reject_invalid_helo_hostname,
>         reject_non_fqdn_helo_hostname,
>         reject_non_fqdn_sender,
>         reject_unknown_sender_domain,

>         reject_non_fqdn_recipient,
>         reject_unknown_recipient_domain,

These two cause no harm, but they are unlikely to be used.

>         reject_rbl_client zen.spamhaus.org,
>         check_policy_service unix:private/policy-spf
>         permit
> 
> I have a follow-up question on smtpd_relay_restrictions. At the 
> moment I have:
> 
> smtpd_relay_restrictions =
> 
> smtpd_recipient_restrictions =
>         check_client_access hash:/etc/postfix/client_checks,
>         (etc.)
> 
> This is an install that has migrated from a Postfix install that 
> was pre-2.10, so for compatibility with what I had before it's all 
> still in smtpd_recipient_restrictions with an explicitly empty 
> smtpd_relay_restrictions.
> 
> To move forward, what checks should I move into the relay 
> restrictions?

For main.cf I recommend "reject_unauth_destination" only.  Then 
explicitly override that for submission in master.cf, as such:

mua_relay_restrictions = permit_sasl_authenticated, reject

(Add other permit_* as you need, before reject.)  Then as per the 
example master.cf you would have under submission:

        -o smtpd_relay_restrictions=$mua_relay_restrictions
        -o syslog_name=postfix/submission
        ...

This way you will not accept anything for relay on port 25, and 
you'll require all users to authenticate on submission.  If you have 
users submitting on port 25 you will have to tell them to change.
You'll especially want to do this so you can have postscreen 
controlling access for mail exchange; postscreeen does not play 
nicely with MUAs, and end users' IP addresses are commonly found in 
Spamhaus Zen via PBL and/or XBL.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to