From: Dennis Putnam (no email)
Date: Tue May 01 2007 - 09:21:20 EDT
On May 1, 2007, at 8:44 AM, Jorey Bump wrote:
>
>
> You are still using smtpd_client_restrictions, though. Note that my
> example uses smtpd_recipient_restrictions.
Doh! How dumb was that?
> All you should need to do now is change this to
> smtpd_recipient_restrictions:
>
> And simply delete or comment out this line:
>
>> smtpd_recipient_restrictions =
>> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
>> ,permit
This creates new problems. I thought I understood what these
parameters did from the documentation but clearly I am not
understanding the docs at all. If I remove 'permit_mynetworks' then
all outgoing mail gets a relay denied error. If I remove
'reject_unauth_destination' I get this:
May 1 08:58:20 xserveoda postfix/smtpd[4921]: fatal: parameter
"smtpd_recipient_restrictions": specify at least one working instance
of: check_relay_domains, reject_unauth_destination, reject, defer or
defer_if_permit
I guess removing the sasl statement is the only one that doesn't seem
to cause a problem. However, my problem user is still a problem.
May 1 08:54:35 xserveoda postfix/smtpd[4785]: NOQUEUE: reject: RCPT
from imf24aec.mail.bellsouth.net[205.152.59.72]: 554 Service
unavailable; Client host [205.152.59.72] blocked using
dnsbl.sorbs.net; Spam Received Recently See: http://www.sorbs.net/
lookup.shtml?205.152.59.72 / Escalated Listing (Spam or Spam Support)
See: http://www.sorbs.net/lookup.shtml?205.152.59.72;
from=<> to=<>
proto=ESMTP helo=<imf24aec.mail.bellsouth.net>
Here's a new 'postconf -n':
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 26214400
mydestination = $myhostname,localhost.
$mydomain,localhost,xserveoda.aimaudit.com,mail.aimaudit.com,aimaudit.co
m
mydomain = aimaudit.com
mydomain_fallback = localhost
myhostname = xserveoda.aimaudit.com
mynetworks =
127.0.0.1/32,66.255.181.64/28,72.158.55.128/27,70.158.194.0/24,192.168.0
.0/24
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_client
smtpd_pw_server_security_options = gssapi,login
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain check_sender_access hash:/etc/postfix/
sender_whitelist permit_mynetworks
reject_unauth_destination reject_rbl_client
bl.spamcop.net reject_rbl_client dnsbl.sorbs.net
reject_rbl_client cbl.abuseat.org reject_rbl_client
dnsbl.njabl.org check_client_access hash:/etc/postfix/smtpdreject
smtpd_sasl_auth_enable = yes
smtpd_tls_key_file =
smtpd_use_pw_server = yes
unknown_local_recipient_reject_code = 550
>
> You might still have a bit of tweaking to do, but this should give
> you a working configuration. Be especially careful with what you
> put in your whitelist. Rejections are easy to manage, but
> whitelisting can allow unauthorized relaying if done improperly.
>
Could you elaborate a little on this? As long as I don't use
wildcards in my white list, am I not safe? Also, just as a refresher,
once again here is my current sender_whitelist file:
# This is a list of senders that will be accepted even if the server has
# been blacklisted.
#
# REMEMBER to run 'make' after changes
#
permit_auth_destination
|
|
|