On Thu, 22 Apr 2010 19:06:59 -0500, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 4/22/2010 6:17 PM, Oliver Schinagl wrote: >> Well what I'm after is the following: >> >> Postfix should be nice and locked, no relaying or anything like that; >> backup_max's should be allowed to relay of course, and users who have >> logged in properly via, say thunderbird (using sasl_auth). >> >> Also I would like to use public RBL's to lower the load on my spamfilter >> etc so they shouldn't even come in. >> >> Here's what I have in my postconf now: >> mydomain = example.com >> myhostname = foo.example.com >> mynetworks_style = host > > OK, you're not defining mynetworks, permit_mynetworks should > only allow your host's IPs. That's fine.
I simply assumed, it's probably best to allow no one but localhost to mail unauthorized. > >> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf > > Using relay_domains without relay_recipient_maps is strongly > discouraged. Your queue will get clogged with undeliverable > mail and eventually you'll be blacklisted as a backscatter source. > I went looking up relay_recipient_maps and from what I gather, all the users that are in my user table on the other end would have to be here as well? This basically means my database backend would/could be identical/synchronized then with just the backupmx flag on the domain reversed? I can understand this working in my specific setup, where I admin both servers, but what if I would be a backupmx for a domain where I do not know the users from? E.g. My friend runs his own mailserver, and he likes me to be his backupmx; I'm perfectly fine with that, but I rather not have to keep his userbase in sync with my userbase, or did I completly missunderstand? I saw specifying @domain is bad, what about a catchall? *...@backupmxdomain.com or are those identical in that sense? Or am I completely missing the point on this one. Also, re-reading it again, postfix will look up the string, but doesn't use the result, e.g. something like select * from backupmxtable where domain=%u; would result in a positive hit and all mailboxes from that domain, but that would also make me become a source of backscatter mail (what is that anyway)? I would assume that my postfix server would accept the mail, then forward it to the other host and deliver it there. >> smtpd_banner = $myhostname NO UCE ESMTP > > That must be > smtpd_banner = $myhostname ESTMP comments... > I assume the order matters here? I figured the NO UCE bit would be totally useless and totally ignored anyway, but hey, it would be there for all to see. >> smtpd_client_restrictions = permit_mynetworks, >> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client >> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client >> bl.spamcop.net > > "permit_mx_backup" is evil and disabling your RBL lookups. > Ah! now we're onto something. But why? is it filling in more then my backup mx domains here? I assume setting up relay_domains (properly) as above allows mail from my backups to arrive normally without consulting smtpd_client_restrictions? > Don't use permit_mx_backup. If you run a backup MX for other > domains, list those domains in relay_domains and the > recipients in relay_recipient_maps. > I will change this. >> smtpd_delay_reject = yes >> smtpd_helo_required = yes >> smtpd_helo_restrictions = reject_invalid_hostname > > This should be > smtpd_helo_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_invalid_helo_hostname > > It's not nice to reject authorized clients just because their > mail client happens to bork the HELO name. > I understand, I can agree with this one absolutly. >> smtpd_recipient_restrictions = permit_mynetworks, >> permit_sasl_authenticated, permit_mx_backup, check_policy_service >> inet:127.0.0.1:2525, reject_unauth_destination > > Remove permit_mx_backup, it's disabling all your other checks. > As above, I don't understand how here either :) >> smtpd_sasl_authenticated_header = no > > I like this set to "yes", but that's just me. > I read that it 'broadcasts' the sasl username to anybody receiving/reading the mailheader and was therefor bad. I can see how this would be useful the first few weeks to potentially debug, as if the username is not listed, the user was not authorized. >> smtpd_sasl_security_options = noanonymous > > Caution, this setting allows plain text passwords to be sent > unencrypted. Safer (but harder for testing and maybe less > compatible): > smtpd_sasl_security_options = noplaintext, noanonymous > smtpd_sasl_tls_security_options = noanonymous > > Would base64 encoded usernames/passwords count? I'm not sure what roundcube does in that regard, then again, it doesn't matter as it is running locally anyway; and it has an option to properly login when sending messages remotly I belive. >> and my master.cf: >> smtp inet n - n - 4 smtpd >> -o content_filter=amavis:[127.0.0.1]:10024 >> -o receive_override_options=no_address_mappings >> >> submission inet n - n - - smtpd >> # -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> -o smtpd_helo_restrictions= >> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > > You might want to add here > -o smptd_sender_restrictions= > to prevent main.cf parameters from interfering. > I will add this aswell, I can see that the submission port doesn't have to be strict at all, as you can only use it as an authorized user. > Otherwise, looks reasonable. Remove your permit_mx_backup and > everything should be dandy. Reasonable means there's room for improvement? :) I will change and check everything and will gladly look forward to more tips, which in turn I will work into the gentoo-wiki article again ;) I would like to thank you for your time so far! > > > > -- Noel Jones Oliver
