On 7/22/2013 10:21 AM, L.W. van Braam van Vloten wrote:
> Hello list,
>
> Thanks for the info, in a different thread I also saw a reference to
> http://postfix.1071664.n5.nabble.com/smtpd-recipient-restrictions-Best-Practices-td10171.html
> and it helped me to modify my config. In addition I upgraded to
> Postfix 2.9.3 because I want to start using permit_dnswl_client as
> well.
>
> It seems to work as expected, but I have the uncomfortable feeling
> that I still missed something crucial...
>
>>
>> Please show your "postconf -n" output for further help.
>>
>
> Are there any bad mistakes in the following config, in particular
> regarding smtpd_recipient_restrictions and releated settings?
some comments below...
>
> Thank you for your help,
> Lucas
>
> # postconf -nf
>
> alias_database = $alias_maps
> alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> content_filter = amavis:[127.0.0.1]:10024
> delay_warning_time = 4h
> disable_vrfy_command = yes
> inet_interfaces = all
> local_recipient_maps =
An empty local_recipient_maps will cause your postfix to accept mail
for undeliverable local address, then attempt to bounce them. This
will clog your queue with undeliverable bounces and get you blacklisted.
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
A size limit of 0 is unwise. Far better to set an absurdly large
limit than no limit at all.
> maximal_backoff_time = 4000s
> maximal_queue_lifetime = 7d
> milter_default_action = accept
> milter_protocol = 2
> minimal_backoff_time = 300s
> mydestination = list.ecompass.nl
> myhostname = mail.ecompass.nl
> mynetworks_style = host
> myorigin = /etc/mailname
> non_smtpd_milters = inet:localhost:8891
> readme_directory = no
> recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> recipient_delimiter = *
> relay_domains =
> smtp_helo_timeout = 60s
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/client-access
typically you would begin this with permit_mynetworks,
permit_sasl_authenticated so you don't reject authorized mail.
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_delay_reject = yes
> smtpd_hard_error_limit = 12
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,
Probably want permit_sasl_authenticated here.
> reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname, permit
The final "permit" is unnecessary, but won't break anything. This
is true for all the smtpd_*_restrictions sections.
> smtpd_milters = inet:localhost:8891
> smtpd_recipient_limit = 16
This limits each SMTP transaction to no more than 16 RCPT TO
commands per session. The sender is then free to connect again with
more recipients. Setting this parameter to a low value can actually
increase the load on your server, and does little or nothing to
thwart unwanted mail.
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination, reject_unauth_pipelining,
> reject_non_fqdn_sender,
Good.
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
Putting reject_unknown_recipient_domain after
reject_unauth_destination can only reject your own domain.
The intended use is before "permit_mynetworks,
permit_sasl_authenticated" to prevent your own users from sending
mail to mistyped destinations.
> reject_unknown_sender_domain, check_policy_service
> inet:127.0.0.1:10023,
> check_recipient_access hash:/etc/postfix/recipient-access,
> check_sender_access hash:/etc/postfix/sender-access,
> check_client_access
> cidr:/etc/postfix/client-whitelist,
Typically the whitelist would be before any of the rules that might
reject mail, such as the check_*_access and the reject_* rules.
> permit_dnswl_client
> list.dnswl.org=127.0.[0..255].[1..3], reject_rbl_client
> zen.spamhaus.org,
> reject_rbl_client dnsbl.sorbs.net, reject_rbl_client
> bl.spamcop.net, permit
> smtpd_sender_restrictions = permit_mynetworks,
missing permit_sasl_authenticated here.
> warn_if_reject
> reject_non_fqdn_sender, permit
> smtpd_soft_error_limit = 3
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /var/spool/mail/virtual
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
> virtual_uid_maps = static:5000
>
>
-- Noel Jones
