Next message: Wietse Venema: "Re: "lost connection with domain while sending end of data -- message may be sent more than once""
On Apr 30, 2007, at 2:15 PM, Jorey Bump wrote:
> Dennis Putnam wrote:
>
> You'll need a good backup or version control system for insurance
> against future mishaps.
I thought I did but it is only as good as the people that follow the
procedure.
>
> I prefer to put my RBLs at the end of smtpd_recipient_restrictions
> and exempt anything I need before it (also in
> smtpd_recipient_restrictions). I don't change the other
> smtpd_*_restrictions from their defaults, but if I did, I'd try to
> use them only for obvious rejections. This is a matter of taste. I
> typically use this configuration:
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender
> reject_unlisted_sender
> reject_unknown_sender_domain
> reject_unknown_recipient_domain
> reject_unlisted_recipient
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> check_helo_access pcre:/etc/postfix/helo
> check_sender_access hash:/etc/postfix/sender
> reject_rbl_client rbl1.example.org
> reject_rbl_client rbl2.example.net
>
> The check_*_access files are custom, and currently contain only
> rejections. You may need to put yours before the permit_*
> statements, if you truly need a whitelist. If your problem user is
> actually an authenticated user that is being blocked by an RBL, you
> no longer need a whitelist with the above configuration, as this is
> handled by placing permit_sasl_authenticated before the RBLs.
I took your advice and modified (best I could as it appears you are
using v 2.3, I think mine is 2.1) my main.cf to match. Unfortunately
the 'check_sender_access' is still not working. My problem user is
not an authenticated one, it is just one that happens to have an ISP
that is too arrogant to accept and act on spam reports. Perhaps the
problem is versioning. Here is a new 'postconf -n' and thanks again
for your help.
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 26214400
mydestination = $myhostname,localhost.
$mydomain,localhost,xserveoda.aimaudit.com,mail.aimaudit.com,aimaudit.co
m
mydomain = aimaudit.com
mydomain_fallback = localhost
myhostname = xserveoda.aimaudit.com
mynetworks =
127.0.0.1/32,66.255.181.64/28,72.158.55.128/27,70.158.194.0/24,192.168.0
.0/24
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain check_sender_access hash:/etc/postfix/
sender_whitelist permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
reject_rbl_client bl.spamcop.net reject_rbl_client
dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org
reject_rbl_client dnsbl.njabl.org check_client_access hash:/etc/
postfix/smtpdreject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_client
smtpd_pw_server_security_options = gssapi,login
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,pe
rmit
smtpd_sasl_auth_enable = yes
smtpd_tls_key_file =
smtpd_use_pw_server = yes
unknown_local_recipient_reject_code = 550
>
> Also note: This configuration assumes that smtpd_delay_reject =
> yes, which is normally the Postfix default (I don't know what the
> case is with OS X).
>
It is the same. Thanks.
