I think i got it. On Sun, 2009-02-15 at 07:28 -0500, Digest of postfix-users list wrote: > I meant that if you have a line like > > mydomain.example OK > > in /etc/postfix/access, then anyone gets free relay by forging an > address in this domain. > > In short, avoid putting check_sender_access in > smtpd_recipient_restrictions before reject_unauth_destination. > > >> better move these checks to smtpd_sender_restrictions. > >> > >> > > > > in /etc/postfix/access_client we have few ips that we permit with > "OK". > > my remark applies to maps used in check_sender_access, because a > sender > address is easily forged.
I have these rules for now: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_pipelining, # reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client cbl.abuseat.org, # reject_rbl_client list.dsbl.org, # reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname, # reject_unknown_hostname, # reject_non_fqdn_hostname, reject_unauth_pipelining, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/access, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, permit /etc/postfix/access is empty. I have not set there any ips/domains to OK. i have set these ips only to /etc/postfix/access_client. so, you suggest to change it this way: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_pipelining, # reject_unknown_client, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client cbl.abuseat.org, # reject_rbl_client list.dsbl.org, # reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/access_helo, reject_invalid_hostname, # reject_unknown_hostname, # reject_non_fqdn_hostname, reject_unauth_pipelining, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, check_client_access cidr:/etc/postfix/access_client, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/access, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_pipelining, permit ?