On Wed, Jul 28, 2021 at 01:15:13PM +0200, Jean-François Bachelet 
<jfbache...@free.fr> wrote:

> I've tried to concatenate the two lines in one, putting the permit stances
> from line 699 after the line 709 like below
> 
> but that don't work either perhaps I should have commented out the line
> 'permit' or put that permit lines before the reject ones ?
> 
>  smtpd_recipient_restrictions =
>   reject_invalid_hostname,
>   reject_unknown_recipient_domain,
>   reject_unauth_destination,
>   reject_rbl_client
>   sbl.spamhaus.org,
>   permit
>   permit_mynetworks,
>   permit_auth_destination,
>   permit_sasl_authenticated,
>   reject

As Bill pointed out, the order matters. Putting permit
in the middle prevents anything later being checked.
You might want it to be:

  smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_unauth_destination
   reject_invalid_hostname
   reject_unknown_recipient_domain
   reject_unauth_destination
   reject_rbl_client sbl.spamhaus.org
   permit

Note that I moved the quick (non-DNS) checks to the top
(so local and authenticated users can send outgoing
mail anywhere without wasting time on the slow RBL
check), and replaced permit_auth_destination with
reject_unauth_destination. Otherwise, any incoming mail
for an authorised destination would just be permitted,
and so would not be subjected to the RBL check.

And as Bill also pointed out, you might want it to be
different for SASL authenticated connections (port
465/587) compared to server connections (port 25).

As an example, I have this in main.cf (defaults for
all connections, ports 25/465/587):

  # Antispam (http://www.postfix.org/SMTPD_ACCESS_README.html)
  smtpd_client_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3]
    reject_rbl_client zen.spamhaus.org
    reject_rbl_client bl.spamcop.net
    reject_rbl_client dnsbl.sorbs.net
    reject_rbl_client dnsbl-1.uceprotect.net
    permit
  smtpd_helo_required = yes
  smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
        # For 1 good helo name that isn't a real hostname
    check_helo_access hash:/etc/postfix/helo-access
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    permit
  smtpd_sender_restrictions =
    reject_unknown_sender_domain
        # For 1 bad sender domain that gets through everything else
    check_sender_access pcre:/etc/postfix/sender-access
    permit
  smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_pipelining
    reject_unauth_destination
    # For postgrey
    check_policy_service inet:127.0.0.1:10023
    permit
  smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_pipelining
    reject_unauth_destination
    permit
  # Needed for reject_unauth_pipelining (BDAT_README)
  smtpd_discard_ehlo_keywords = chunking silent-discard

  # SASL Authentication (http://www.postfix.org/SASL_README.html)
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_type = dovecot
  smtpd_sasl_path = private/auth

  # Note: TLS also needed (http://www.postfix.org/TLS_README.html)

And, for SASL authenticated connections to ports 465/587,
the smtpd_client_restrictions is overridden in master.cf:

  smtps      inet  n       -       y       -       -       smtpd
    -o syslog_name=postfix/$service_name
    -o smtpd_tls_wrappermode=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

  submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/$service_name
    -o smtpd_tls_security_level=encrypt
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

There's great documentation I'd recommend at:

  http://www.postfix.org/SMTPD_ACCESS_README.html
  http://www.postfix.org/postconf.5.html

It'll help make sense of it all. Whenever you see instructions
online for setting up postfix, I'd recommend reading postfix's
documentation to understand those instructions before deciding
whether or not it's what you need.

> > There seem to be a lot of things in the postconf -n
> > output that match the default values (e.g.
> > newaliases_path, setgid_group, ...). They can be
> > removed from main.cf.
> > 
> > But there's one setting that seems very odd:
> > 
> >    sendmail_path = /usr/bin/postfix
> 
> ouch, there was a typo it's sbin or bin :(

What surprised me was that it was referring to
"postfix", rather than "sendmail". I hadn't noticed
that the directory was wrong as well. The default is:

  > postconf -d sendmail_path
  sendmail_path = /usr/sbin/sendmail

> corrected :
> 
> 647 # sendmail_path: The full pathname of the Postfix sendmail command.
> 648 # This is the Sendmail-compatible mail posting interface.
> 649 #
> 650 sendmail_path = /usr/sbin/sendmail
> 
> that is like that in this tuto :
> https://www.server-world.info/en/note?os=Debian_10&p=mail&f=1
> 
> I think it's an error that has never been reported to the site webmaster...
> 
> (postfix newbee I said ;))

I don't understand why they would have that there. The
default is correct on Debian 10. It's probably always
correct, unless you also have the sendmail package
installed, and so postfix's sendmail has a different
name. Even then, the new value is more likely to be
something like /usr/sbin/sendmail.postfix or
/etc/alternatives/sendmail, not /usr/sbin/postfix.
That's the postfix binary, not the sendmail-compatible
interface to postfix. They are not the same program.

But again, this is probably a side issue to your local mail
not being delivered due to "mail for server.mydomain.com
loops back to myself". That's probably more likely to be
related to your $mydestinations value not including all of
the right servers.

cheers,
raf

Reply via email to