I think i got it.
On Sun, 2009-02-15 at 07:28 -0500, Digest of postfix-users list wrote:
> I meant that if you have a line like
>
> mydomain.example OK
>
> in /etc/postfix/access, then anyone gets free relay by forging an
> address in this domain.
>
> In short, avoid putting check_sender_access in
> smtpd_recipient_restrictions before reject_unauth_destination.
>
> >> better move these checks to smtpd_sender_restrictions.
> >>
> >>
> >
> > in /etc/postfix/access_client we have few ips that we permit with
> "OK".
>
> my remark applies to maps used in check_sender_access, because a
> sender
> address is easily forged.
I have these rules for now:
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_unauth_pipelining,
# reject_unknown_client,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client cbl.abuseat.org,
# reject_rbl_client list.dsbl.org,
# reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/access_helo,
reject_invalid_hostname,
# reject_unknown_hostname,
# reject_non_fqdn_hostname,
reject_unauth_pipelining,
permit
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/access,
check_client_access cidr:/etc/postfix/access_client,
reject_sender_login_mismatch,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/access,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unauth_pipelining,
permit
/etc/postfix/access is empty. I have not set there any ips/domains to
OK.
i have set these ips only to /etc/postfix/access_client.
so, you suggest to change it this way:
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_unauth_pipelining,
# reject_unknown_client,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client cbl.abuseat.org,
# reject_rbl_client list.dsbl.org,
# reject_rhsbl_sender dsn.rfc-ignorant.org,
permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/access_helo,
reject_invalid_hostname,
# reject_unknown_hostname,
# reject_non_fqdn_hostname,
reject_unauth_pipelining,
permit
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/access,
check_client_access cidr:/etc/postfix/access_client,
reject_sender_login_mismatch,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining,
permit
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/access,
check_sender_access hash:/etc/postfix/access,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
reject_unauth_pipelining,
permit
?
