Wietse Venema via Postfix-users wrote in
<4vkgxb47fdzj...@spike.porcupine.org>:
|Mr. Peng via Postfix-users:
|> I saw this configuration in our master.cf as follows.
|>
|> What's the difference between the option "smtpd_relay_restrictions" and
|> "smtpd_recipient_restrictions"? In my opinion they both mean the sender
|> must pass the smtp auth. Thanks.
...
|You need to ask the distributor why they chose this. It is not
|part of the Postfix souce-code distribution.
|
|With the smtps (submissions) and submission services, either
|
| -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
| -o smtpd_recipient_restrictions=
|
|or
|
| -o smtpd_relay_restrictions=
| -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
|
|would be sufficient.
I have brought it down to (do not ask me whether i copied these
notes from some of the excellent README_FILES or what, i have
forgotten):
# RCPT TO checks, relay policy
# Local clients and authenticated clients may specify any destination domain
smtpd_relay_restrictions =
...
# RCPT TO checks, spam blocking policy
# Match fast for $mynetworks and authenticated clients.
smtpd_recipient_restrictions =
...
...
Ha. Just in case of survey interest, here is most of
a configuration of a very tiny part of the internet that does not
make any money and has modest users:
smtpd_relay_before_recipient_restrictions = yes
smtpd_relay_restrictions =
permit_mynetworks,
reject_non_fqdn_recipient,
reject_unauth_destination,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_tls_clientcerts,
reject_unknown_recipient_domain,
permit
# Clients connection checks
smtpd_client_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
permit_tls_clientcerts,
check_client_access lmdb:$meta_directory/client_restrict,
reject_unknown_client_hostname,
sleep 1,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_unauth_pipelining,
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
smtpd_helo_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
permit_tls_clientcerts,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
permit
# MAIL FROM Checks
smtpd_sender_restrictions =
# permit_inet_interfaces, OR
permit_mynetworks,
permit_tls_clientcerts,
reject_non_fqdn_sender,
check_sender_access inline:{$mydomain=reject},
# Total no-goes database, eg: qq.com reject
#check_sender_access lmdb:$meta_directory/sender_restrict,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
#GRAY: with --focus-sender only! And --msg-allow=permit
check_policy_service unix:private/postgray,
reject_unverified_sender,
permit
milter_default_action = accept
milter_macro_daemon_name = sign
non_smtpd_milters = unix:private/dkim-sign
smtpd_milters = unix:private/dkim-sign
smtpd_policy_service_default_action = DUNNO
smtpd_authorized_verp_clients = 127.0.0.1
address_verify_map = lmdb:$data_directory/verify_cache
address_verify_cache_cleanup_interval = 86400s
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:CHACHA20
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = DHE:TLSv1
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may
smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_tls_connection_reuse = yes
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
and master:
## STEFFEN {{{
tlsproxy unix - - n - 0 tlsproxy
-o tlsproxy_tls_security_level=encrypt
localhost:smtp inet n - n - - smtpd
-o syslog_name=lhsmtp
localhost:421 inet n - n - - smtpd
-o syslog_name=lhlist
-o smtpd_milters=unix:private/dkim-sign-list
smtp inet n - n - - smtpd
-o syslog_name=outwall
-o smtpd_tls_security_level=may
-o milter_macro_daemon_name=verify
192.0.2.1:submission inet n - n - - smtpd
-o syslog_name=vpnsub
-o smtpd_relay_restrictions=permit_mynetworks,reject_unauth_destination
-o local_header_rewrite_clients=permit_mynetworks,permit_tls_clientcerts
-o cleanup_service_name=vpnsub_cleanup
vpnsub_cleanup unix n - n - 0 cleanup
-o {header_checks=regexp:{{/^Received:/ IGNORE}} }
-o masquerade_domains=$mydomain
## }}} /STEFFEN
## STEFFEN
postgray unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-postgray -R /etc/postfix/pg.rc
dkim-sign unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc
dkim-sign-list unix - n n - - spawn
user=smtpd argv=/usr/libexec/s-dkim-sign -R /etc/postfix/dkim.rc
--header-seal=+
## /STEFFEN
Other boxes only relay to that one via VPN.
Thanks!
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
