On 31 October 2011 15:16, Noel Jones <[email protected]> wrote:
> On 10/31/2011 12:31 PM, Simon Brereton wrote:
>> Googling led me to this thread:
>> http://comments.gmane.org/gmane.mail.postfix.user/210413
>>
>> But I don't understand how [email protected] is not owned by
>> [email protected]
>
> Apparently this user didn't authenticate.
> You define who owns what address in smtpd_sender_login_maps. There
> are no "automatic" mappings.
Okay, so without smtpd_sender_login_maps those restrictions are worthless, yes?
>> mail:~# postconf -n | grep smtpd_recipient_restrictions
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,
>> reject_sender_login_mismatch,
>> permit_sasl_authenticated,
>
> This should be followed by "permit_mynetworks,
> reject_unauth_destination," followed by your other UCE checks.
> check_sender_access is to check the sender email address, and will
> never match an IP. You must use check_client_access to whitelist by IP.
Nice catch - thanks.
>> reject_unlisted_recipient,
>> check_policy_service unix:private/policy-spf,
>> check_policy_service inet:127.0.0.1:10031,
>> reject_rbl_client bl.spamcop.net,
>> reject_rbl_client zen.spamhaus.org,
>> reject_rbl_client cbl.abuseat.org,
>
> cbl is included in zen, so this is a duplicate.
This is what I was told - but it's always cbl that does the blocking
in the logs. I seldom get a result for zen.
>> reject_rbl_client blackholes.mail-abuse.org,
>
> Do you pay for a subscription to mail-abuse.org? Otherwise this
> won't work.
I haven't looked at these in a while - removed.
>> warn_if_reject, reject_unknown_client,
>> warn_if_reject, reject_rhsbl_client dsn.rfc-ignorant.org,
>> warn_if_reject, reject_rbl_client dnsbl.sorbs.net,
>> warn_if_reject, reject_rbl_client dnsbl.njabl.org,
>> warn_if_reject, reject_rbl_client dul.dnsbl.sorbs.net,
>> permit
It's still not clear to me if I need each warn_if_reject, or if I can
just use one. I.e.
warn_if_reject,
reject_unknown_client,
reject_rbl_client tw.countries.nerd.dk,
reject_rbl_client kr.countries.nerd.dk,
reject_rbl_client cn.countries.nerd.dk,
reject_rhsbl_client dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
>> check_recipient_access hash:/etc/postfix/laxdomains,
>> reject_unknown_sender_domain,
>> reject_unknown_recipient_domain,
>> reject_invalid_helo_hostname,
>> reject_non_fqdn_helo_hostname,
>> reject_unknown_helo_hostname,
>> check_sender_access hash:/etc/postfix/backscatter
>> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
>> permit_mynetworks,
>> reject_unauth_destination,
>
> This is dangerously late for reject_unauth_destination. You should
> move it above any check_*_access maps.
This is problem with adding things over time. And sometimes I get
really confused - to whit.
## SPAM STUFF and REJECT CODES ##
smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
permit_mynetworks,
reject_unauth_destination,
reject_unlisted_recipient,
check_recipient_access hash:/etc/postfix/laxdomains, (this is
one domain I host that doesn't want the checking done below)
check_client_access hash:/etc/postfix/ip_whitelist,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
Jim Seymour has these two ABOVE permit_mynetworks - which I can see
for the sender_domain, but if the recipient_domain was above
permit_mynetworks, then wouldn't postfix reject everything that wasn't
in $mydestination? So, should it be above or below? And surely if it
should be above, then so should the helo_hostname checks, no?
check_sender_access hash:/etc/postfix/backscatter
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
check_policy_service unix:private/policy-spf,
check_policy_service inet:127.0.0.1:10031,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
warn_if_reject,
reject_unknown_client,
warn_if_reject,
reject_rbl_client tw.countries.nerd.dk,
warn_if_reject,
reject_rbl_client kr.countries.nerd.dk,
warn_if_reject,
reject_rbl_client cn.countries.nerd.dk,
warn_if_reject,
reject_rhsbl_client dsn.rfc-ignorant.org,
warn_if_reject,
reject_rbl_client dnsbl.sorbs.net,
warn_if_reject,
reject_rbl_client dnsbl.njabl.org,
warn_if_reject,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
