From: Sheldon T. Hall (no email)
Date: Thu Feb 01 2007 - 12:17:24 EST
Quoth Curt LeCaptain ...
> Here's what I'm looking at doing:
>
> For specific addresses on the server, I'd like to have anyone
> be able to
> send mail to them and bypass blackhole list checks. My assumption (it
> may be wrong, is the following config for smtpd_recipient_restrictions
>
> smtpd_recipient_restrictions = permit_mynetworks
> check_sender_access = hash:/etc/postfix/spamfriends
> <-----Line in question
> permit_sasl_authenticated
> check_client_access hash:/etc/postfix/pop-before-smtp
> reject_unauth_pipelining
> reject_non_fqdn_hostname
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unauth_destination
> reject_rbl_client combined.njabl.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client zen.spamhaus.org
> permit
>
> My spamfriends hash table is the following:
>
> OK
> OK
That makes you an open relay for anyone _claiming_ to be one of the senders
in your spamfriends whitelist.
It would be better to minimize the potential damage by putting
"check_sender_access = hash:/etc/postfix/spamfriends" immediately before
your first blacklist, after all the other checks. In any case, be sure to
have "reject_unauth_destination" before your whitelist.
-Shel
|
|
|