Re: Trying to let a "friendly" mail server in and it ain't working....

From: mouss (no email)
Date: Sun Sep 28 2008 - 11:41:50 EDT

  • Next message: Dan Langille: "ignoring client restrictions for smtps"

    Brian Evans wrote:
    > Peter L. Berghold wrote:
    >> Brian Evans - Postfix List wrote:
    >>> Without a current 'postconf -n', no one here can tell you.
    > [...]
    >> relay_domains =,
    > No relay_recipient_maps could make you an (out|back)scatter source.
    >> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
    >> reject_unknown_hostname
    > The problem comes from reject_unknown_hostname in this case. You don't
    > have a check_helo_access map before it to whitelist the client in question.

    he'd better whitelist the client IP. but reject_unknown_hostname is
    known to cause FPs, or at least delay mail in case of temp failures...

    >> smtpd_recipient_restrictions = check_sender_access
    >> hash:/etc/postfix/access, permit_mynetworks,
    >> permit_sasl_authenticated, reject_unauth_destination,
    >> reject_unauth_pipelining, reject_non_fqdn_sender,
    >> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
    >> reject_invalid_hostname, reject_rbl_client,
    >> reject_rbl_client, reject_rbl_client,
    >> reject_rbl_client, reject_rbl_client
    >>, reject_rbl_client,
    >> reject_rbl_client, reject_rbl_client,
    >> permit
    > BTW, since you are using check_sender_access, this only ever matches
    > ENVELOPE sender, never which machine is doing the sending.
    > In addition, putting the check BEFORE reject_unauth_destination with an
    > OK makes you an open relay for any forged domains in that access file.

    and reject_unauth_pipelining is useless here. sounds like a
    cut-and-paste from a how[not]to ;-p
    > Also, and * are dead, remove those checks to
    > save a little overhead and possible false positives in the future.

    so is

  • Next message: Dan Langille: "ignoring client restrictions for smtps"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD