On 11/1/2011 1:31 PM, Simon Brereton wrote: > On 31 October 2011 15:16, Noel Jones <[email protected]> wrote: >> On 10/31/2011 12:31 PM, Simon Brereton wrote: >>> Googling led me to this thread: >>> http://comments.gmane.org/gmane.mail.postfix.user/210413 >>> >>> But I don't understand how [email protected] is not owned by >>> [email protected] >> >> Apparently this user didn't authenticate. >> You define who owns what address in smtpd_sender_login_maps. There >> are no "automatic" mappings. > > Okay, so without smtpd_sender_login_maps those restrictions are worthless, > yes?
Right. You must define the user <-> sender address mapping. >>> reject_unlisted_recipient, >>> check_policy_service unix:private/policy-spf, >>> check_policy_service inet:127.0.0.1:10031, >>> reject_rbl_client bl.spamcop.net, >>> reject_rbl_client zen.spamhaus.org, >>> reject_rbl_client cbl.abuseat.org, >> >> cbl is included in zen, so this is a duplicate. > > This is what I was told - but it's always cbl that does the blocking > in the logs. I seldom get a result for zen. Maybe spamhaus cut you (or your ISP if you use their DNS) off for exceeding their query limits. > It's still not clear to me if I need each warn_if_reject, or if I can > just use one. I.e. > > warn_if_reject, > reject_unknown_client, > reject_rbl_client tw.countries.nerd.dk, you need to use warn_if_reject in front of each restriction you want turned into a warning. > reject_rbl_client dul.dnsbl.sorbs.net, > permit and for completeness, I'll note the final permit is unnecessary, but doesn't really hurt anything. > ## SPAM STUFF and REJECT CODES ## > smtpd_recipient_restrictions = > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > permit_sasl_authenticated, > check_helo_access hash:/etc/postfix/helo_checks, > permit_mynetworks, > reject_unauth_destination, > reject_unlisted_recipient, > check_recipient_access hash:/etc/postfix/laxdomains, (this is > one domain I host that doesn't want the checking done below) > check_client_access hash:/etc/postfix/ip_whitelist, > reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > > Jim Seymour has these two ABOVE permit_mynetworks - which I can see > for the sender_domain, but if the recipient_domain was above > permit_mynetworks, then wouldn't postfix reject everything that wasn't > in $mydestination? So, should it be above or below? And surely if it > should be above, then so should the helo_hostname checks, no? The checks "above" permit_mynetworks and permit_sasl_authenticated are checks you want applied to your networks and authenticated users. Generally it's better to put those checks in smtpd_sender_restrictions. -- Noel Jones
