From: Ralf Hildebrandt (no email)
Date: Tue Jan 01 2002 - 05:16:34 EST
On Mon, Dec 31, 2001 at 05:26:27PM +0100, Benjamin Pineau wrote:
> * Being a MX backup. I 've read that to be a secondary MX for another
> domain, I just have to add this domain in relay_domains. True ?
Yes.
> * I think to have guessed that, in postfix terminology :
> - 'client' means the real ip/fqdn from where the request come from.
> Not necessarly the true client's adress, maybe an intermediate relay.
> - 'sender' is the domain indicated in the MAIL FROM: command
> - 'recipient' are adresses in RCTP TO:
> Am I right ?
Yes.
> *I'm not sure to well understand the checking mecanism of smtpd_*__restriction.
> I think that the rules are checked in the order indiquated on the
> restriction, left to right, and stopped to the first matching rule. Right ?
Yes.
> * Validity of my smtpd_restrictions rules. This is what I want :
> - mails posted from mynetworks should be relayed
permit_mynetworks
> - mails posted from sasl authentified clients should be relayed
permit_sasl_authenticated
> - mails posted from TLS w/ certificats authentified clients should be relayed
dunno
> - mails destinated to mydestinations or relay_domains will be relayed,
reject_unauth_destination
> assuming that, if the client isn't posting from mynetworks or is not sasl/tls
> authentified :
> - the client uses a ehlo/ehlo with an existing (A, MX, CNAME ...) hostname
> (or an ip that could be reversed)
Don't do that. It rejects too much legitimate mail.
> - the sender isn't rbl blacklisted
reject_maps_rbl
> - the sender don't use VRFY, pipelining and other spammmer techniques
> - the ip/domain part of the 'mail from:' could be resolved (A, MX, PTR ...)
> - client or sender is not filtred in hash:/etc/postfix/access or in
> pcre:/etc/postfix/header_check_filters
>
> Here are my restrictions :
>
> header_checks = pcre:/etc/postfix/header_check_filters
>
> smtpd_helo_restrictions = permit_mynetworks, reject_maps_rbl,
> permit_naked_ip_address, reject_unknown_hostname, reject_invalid_hostname,
> check_helo_access hash:/etc/postfix/access
>
> smtpd_client_restrictions = permit_sasl_authenticated, permit_tls_clientcerts,
> permit_mynetworks, check_client_access hash:/etc/postfix/access,
> reject_maps_rbl, reject_unauth_pipelining, reject_unknown_client
>
> smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
> permit_tls_clientcerts, check_sender_access hash:/etc/postfix/access,
> reject_unknown_sender_domain, reject_maps_rbl, check_relay_domains
>
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
> permit_tls_clientcerts, reject_unauth_pipelining, permit_mx_backup,
> check_relay_domains, reject_unknown_recipient_domain
http://www.stahl.bau.tu-bs.de/~hildeb/postfix/mailhub.shtml
does the same, except fro the SASL bit.
> * Have I redundancy that I can avoid ? stupids checks ?
> * are the restrictions in a good order ?
IMHO not. STuff is duplicated all over the place.
> * does I need to use the header_check map in a smtp_restriction for
> it takes effects ?
No. Read the manual. header_checks and body_checks are done separately.
-- Ralf Hildebrandt (Im Auftrag des Referat V A) Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155 Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 Micro$oft IMC: The Scarlet Pimpernel of postmen. Hard to find, impossible to order about, but every once in a while it saves a piece of mail from disaster. Sometimes even with it's head(ers) intact. - To unsubscribe, send mail to with content (not subject): unsubscribe postfix-users
|
|
|