Wietse Venema via Postfix-users wrote in <4vkgxb47fdzj...@spike.porcupine.org>: |Mr. Peng via Postfix-users: |> I saw this configuration in our master.cf as follows. |> |> What's the difference between the option "smtpd_relay_restrictions" and |> "smtpd_recipient_restrictions"? In my opinion they both mean the sender |> must pass the smtp auth. Thanks. ... |You need to ask the distributor why they chose this. It is not |part of the Postfix souce-code distribution. | |With the smtps (submissions) and submission services, either | | -o smtpd_relay_restrictions=permit_sasl_authenticated,reject | -o smtpd_recipient_restrictions= | |or | | -o smtpd_relay_restrictions= | -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject | |would be sufficient.
I have brought it down to (do not ask me whether i copied these notes from some of the excellent README_FILES or what, i have forgotten): # RCPT TO checks, relay policy # Local clients and authenticated clients may specify any destination domain smtpd_relay_restrictions = ... # RCPT TO checks, spam blocking policy # Match fast for $mynetworks and authenticated clients. smtpd_recipient_restrictions = ... ... Ha. Just in case of survey interest, here is most of a configuration of a very tiny part of the internet that does not make any money and has modest users: smtpd_relay_before_recipient_restrictions = yes smtpd_relay_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination, permit smtpd_recipient_restrictions = permit_mynetworks, permit_tls_clientcerts, reject_unknown_recipient_domain, permit # Clients connection checks smtpd_client_restrictions = # permit_inet_interfaces, OR permit_mynetworks, permit_tls_clientcerts, check_client_access lmdb:$meta_directory/client_restrict, reject_unknown_client_hostname, sleep 1, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_unauth_pipelining, permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_restrictions = # permit_inet_interfaces, OR permit_mynetworks, permit_tls_clientcerts, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit # MAIL FROM Checks smtpd_sender_restrictions = # permit_inet_interfaces, OR permit_mynetworks, permit_tls_clientcerts, reject_non_fqdn_sender, check_sender_access inline:{$mydomain=reject}, # Total no-goes database, eg: qq.com reject #check_sender_access lmdb:$meta_directory/sender_restrict, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, #GRAY: with --focus-sender only! And --msg-allow=permit check_policy_service unix:private/postgray, reject_unverified_sender, permit milter_default_action = accept milter_macro_daemon_name = sign non_smtpd_milters = unix:private/dkim-sign smtpd_milters = unix:private/dkim-sign smtpd_policy_service_default_action = DUNNO smtpd_authorized_verp_clients = 127.0.0.1 address_verify_map = lmdb:$data_directory/verify_cache address_verify_cache_cleanup_interval = 86400s smtpd_tls_fingerprint_digest = sha256 smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:CHACHA20 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = DHE:TLSv1 smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_security_level = may smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_protocols = $smtpd_tls_protocols smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers smtp_tls_ciphers = $smtpd_tls_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers smtp_tls_connection_reuse = yes smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout and master: ## STEFFEN {{{ tlsproxy unix - - n - 0 tlsproxy -o tlsproxy_tls_security_level=encrypt localhost:smtp inet n - n - - smtpd -o syslog_name=lhsmtp localhost:421 inet n - n - - smtpd -o syslog_name=lhlist -o smtpd_milters=unix:private/dkim-sign-list smtp inet n - n - - smtpd -o syslog_name=outwall -o smtpd_tls_security_level=may -o milter_macro_daemon_name=verify 192.0.2.1:submission inet n - n - - smtpd -o syslog_name=vpnsub -o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination -o local_header_rewrite_clients=permit_mynetworks,permit_tls_clientcerts -o cleanup_service_name=vpnsub_cleanup vpnsub_cleanup unix n - n - 0 cleanup -o {header_checks=regexp:{{/^Received:/ IGNORE}} } -o masquerade_domains=$mydomain ## }}} /STEFFEN ## STEFFEN postgray unix - n n - - spawn user=smtpd argv=/usr/libexec/s-postgray -R /etc/postfix/pg.rc dkim-sign unix - n n - - spawn user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc dkim-sign-list unix - n n - - spawn user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc --header-seal=+ ## /STEFFEN Other boxes only relay to that one via VPN. Thanks! --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org