On Wed, Jul 28, 2021 at 01:15:13PM +0200, Jean-François Bachelet <jfbache...@free.fr> wrote:
> I've tried to concatenate the two lines in one, putting the permit stances > from line 699 after the line 709 like below > > but that don't work either perhaps I should have commented out the line > 'permit' or put that permit lines before the reject ones ? > > smtpd_recipient_restrictions = > reject_invalid_hostname, > reject_unknown_recipient_domain, > reject_unauth_destination, > reject_rbl_client > sbl.spamhaus.org, > permit > permit_mynetworks, > permit_auth_destination, > permit_sasl_authenticated, > reject As Bill pointed out, the order matters. Putting permit in the middle prevents anything later being checked. You might want it to be: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_unknown_recipient_domain reject_unauth_destination reject_rbl_client sbl.spamhaus.org permit Note that I moved the quick (non-DNS) checks to the top (so local and authenticated users can send outgoing mail anywhere without wasting time on the slow RBL check), and replaced permit_auth_destination with reject_unauth_destination. Otherwise, any incoming mail for an authorised destination would just be permitted, and so would not be subjected to the RBL check. And as Bill also pointed out, you might want it to be different for SASL authenticated connections (port 465/587) compared to server connections (port 25). As an example, I have this in main.cf (defaults for all connections, ports 25/465/587): # Antispam (http://www.postfix.org/SMTPD_ACCESS_README.html) smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rbl_client dnsbl-1.uceprotect.net permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated # For 1 good helo name that isn't a real hostname check_helo_access hash:/etc/postfix/helo-access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname permit smtpd_sender_restrictions = reject_unknown_sender_domain # For 1 bad sender domain that gets through everything else check_sender_access pcre:/etc/postfix/sender-access permit smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining reject_unauth_destination # For postgrey check_policy_service inet:127.0.0.1:10023 permit smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining reject_unauth_destination permit # Needed for reject_unauth_pipelining (BDAT_README) smtpd_discard_ehlo_keywords = chunking silent-discard # SASL Authentication (http://www.postfix.org/SASL_README.html) smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth # Note: TLS also needed (http://www.postfix.org/TLS_README.html) And, for SASL authenticated connections to ports 465/587, the smtpd_client_restrictions is overridden in master.cf: smtps inet n - y - - smtpd -o syslog_name=postfix/$service_name -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject submission inet n - y - - smtpd -o syslog_name=postfix/$service_name -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_sasl_authenticated,reject There's great documentation I'd recommend at: http://www.postfix.org/SMTPD_ACCESS_README.html http://www.postfix.org/postconf.5.html It'll help make sense of it all. Whenever you see instructions online for setting up postfix, I'd recommend reading postfix's documentation to understand those instructions before deciding whether or not it's what you need. > > There seem to be a lot of things in the postconf -n > > output that match the default values (e.g. > > newaliases_path, setgid_group, ...). They can be > > removed from main.cf. > > > > But there's one setting that seems very odd: > > > > sendmail_path = /usr/bin/postfix > > ouch, there was a typo it's sbin or bin :( What surprised me was that it was referring to "postfix", rather than "sendmail". I hadn't noticed that the directory was wrong as well. The default is: > postconf -d sendmail_path sendmail_path = /usr/sbin/sendmail > corrected : > > 647 # sendmail_path: The full pathname of the Postfix sendmail command. > 648 # This is the Sendmail-compatible mail posting interface. > 649 # > 650 sendmail_path = /usr/sbin/sendmail > > that is like that in this tuto : > https://www.server-world.info/en/note?os=Debian_10&p=mail&f=1 > > I think it's an error that has never been reported to the site webmaster... > > (postfix newbee I said ;)) I don't understand why they would have that there. The default is correct on Debian 10. It's probably always correct, unless you also have the sendmail package installed, and so postfix's sendmail has a different name. Even then, the new value is more likely to be something like /usr/sbin/sendmail.postfix or /etc/alternatives/sendmail, not /usr/sbin/postfix. That's the postfix binary, not the sendmail-compatible interface to postfix. They are not the same program. But again, this is probably a side issue to your local mail not being delivered due to "mail for server.mydomain.com loops back to myself". That's probably more likely to be related to your $mydestinations value not including all of the right servers. cheers, raf