From: Jorey Bump (no email)
Date: Tue May 01 2007 - 08:44:51 EDT
Dennis Putnam wrote:
>
> On Apr 30, 2007, at 2:15 PM, Jorey Bump wrote:
>>
>> I prefer to put my RBLs at the end of smtpd_recipient_restrictions and
>> exempt anything I need before it (also in
>> smtpd_recipient_restrictions). I don't change the other
>> smtpd_*_restrictions from their defaults, but if I did, I'd try to use
>> them only for obvious rejections. This is a matter of taste. I
>> typically use this configuration:
>>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_sender
>> reject_unlisted_sender
>> reject_unknown_sender_domain
>> reject_unknown_recipient_domain
>> reject_unlisted_recipient
>> permit_mynetworks
>> permit_sasl_authenticated
>> reject_unauth_destination
>> check_helo_access pcre:/etc/postfix/helo
>> check_sender_access hash:/etc/postfix/sender
>> reject_rbl_client rbl1.example.org
>> reject_rbl_client rbl2.example.net
>>
>
> I took your advice and modified (best I could as it appears you are
> using v 2.3, I think mine is 2.1) my main.cf to match. Unfortunately the
> 'check_sender_access' is still not working.
You are still using smtpd_client_restrictions, though. Note that my
example uses smtpd_recipient_restrictions. All you should need to do now
is change this to smtpd_recipient_restrictions:
> smtpd_client_restrictions = reject_non_fqdn_sender
> reject_unknown_sender_domain check_sender_access
> hash:/etc/postfix/sender_whitelist permit_mynetworks
> permit_sasl_authenticated reject_unauth_destination
> reject_rbl_client bl.spamcop.net reject_rbl_client
> dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org
> reject_rbl_client dnsbl.njabl.org check_client_access
> hash:/etc/postfix/smtpdreject
And simply delete or comment out this line:
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
You might still have a bit of tweaking to do, but this should give you a
working configuration. Be especially careful with what you put in your
whitelist. Rejections are easy to manage, but whitelisting can allow
unauthorized relaying if done improperly.
|
|
|