Nathan Lager wrote: >If i remote mynetworks, i'm unable to relay, no? >Or should it be in a different order?
Not necessarily. You can still send mail without matching mynetworks iff you match the policies/checks required. One alternative is to uses SASL authentication to send mail which although it takes a bit of setting up, does have some advantages (it depends what your requirements are). I run a customer facing mail server at work (about 1k mailboxes and 10k messages/day so only fairly small), and I've been setting up a newer replacement for it using Policyd. Here I've changed mynetworks to only include the IP of the mail server itself - not even our own servers can use it without authentication ! This latter bit gives us some protection against malware - unless it's intelligent enough to pick up the authentication credentials then it won't be able to send spam (just one of several layers of protection). Once you have authentication, you can do other tricks like apply quotas (in and/or out) per user (or more precisely, SASL username) rather than IP address, but most importantly you can allow users to send mail from anywhere without being an open relay. Nearly forgot, you can use "permit_sasl_authenticated" in your HELO checks to bypass HELO checks for authenticated users while imposing them for inbound mail. But don't get too disheartened if you struggle with Postfix's restrictions. They offer very rich and flexible options, but with that comes a certain amount of complexity. Order is very important - once any check reaches an answer (whether permit or deny) then further checks are skipped. Also many of them can be used in different places - I tend to use mostly smtpd_recipient_restrictions since they are applied when you get recipient addresses and most is known about the mail. Adding "defer_if_reject" is useful as well, it means that even if a message fails an early check (such as on HELO name) then it won't be rejected until you've got sender and recipient addresses to go in the logs. Returning to policyd, if you have multiple policies, then make them mutually exclusive. The documentation (and previous discussions here) imply a certain amount of inheritance, but not all modules behave the same - so it's far simpler if any message matches exactly one policy and then it's not an issue. Anyway, this is the key bit of my (working) setup, hopefully it will give you some ideas. I've included facilities for blacklisting by host and by HELO response - you'd be amazed how many clients claim to be "us" in one form or another, and they all get rejected as obvious fakes. For a while at home, I also rejected connections from AOL - so that people got bounces instead of me getting messages I couldn't reply to. mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 # Requirements for the HELO statement smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit # Requirements for the sender details smtpd_sender_restrictions = permit_mynetworks, hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/host_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, # reject_unauth_pipelining, permit ## Requirements for the connecting server smtpd_client_restrictions = permit_mynetworks, check_client_access cidr:/etc/postfix/blacklist, permit # Requirement for the recipient address smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, check_client_access cidr:/etc/postfix/host_access, check_policy_service inet:172.16.1.112:10031, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination, # reject_unauth_pipelining, permit -- Simon Hobson WANTED: "Software CD ROM Kit" for Canon CLBP 360-PS printer (Canon part no RH6-3612, or possibly RH6-3810, or RH6-3610 might do). I've a dead HD and need this CD so I can replace the disk and re-install the printer OS on it. If anyone knows where I might get hold of one I'd be grateful - requests to Canon drew a blank, it's been out of support for years. Alternatively, if anyone has one of these and would let me image their hard disk ... Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users
