Am 03.12.2014 um 14:41 schrieb mancyb...@gmail.com:
On Wed, 03 Dec 2014 14:11:44 +0100
"li...@rhsoft.net" <li...@rhsoft.net> wrote:
Am 03.12.2014 um 13:40 schrieb mancyb...@gmail.com:
On Wed, 03 Dec 2014 13:18:45 +0100
"li...@rhsoft.net" <li...@rhsoft.net> wrote:
put the exchange host in "mynetworks" and just add "permit_mynetworks"
*before* "reject_authenticated_sender_login_mismatch"
Hi, my whole 'smtpd_recipient_restrictions' is:
smtpd_recipient_restrictions =
permit_mynetworks,
check_policy_service inet:127.0.0.1:10031,
check_sender_access hash:/etc/postfix/sender_access,
check_recipient_access
hash:/etc/postfix/check_recipient_access_skip_blacklists,
reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
check_client_access hash:/etc/postfix/rbl_override
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
this is a server with many domains and users (and filters, also custom antispam
filters).
Wouldn't your suggested modification disable all the rest of the processing
logic ?
I mean .. would reject_rbl_client zen.spamhaus.org still be considered ?
If that's the case, wouldn't be easy to spoof the domain and abuse the server?
if the sending host is controlled by you it makes no sense to do RBL
checks for one of your own machines and so it should be safe add the
host to "mynetworks"
Hi, the Exchange server is not controlled by me
than i would not allow any relay without autentication at all and place
a policyd only allowing authenticated relay but permit in context of
authentication *before* "reject_authenticated_sender_login_mismatch" as
possible solution
to be honest the best solution is most likely a own instance in
master.cf on a different port only opened in the firewall by that host
with it's own restrictions instead try to combine completly different needs
nor are the clients. I agree that skipping RBLs checks is ok but what about
the other rules, will they be skipped ?
I need policyd to track sending, together with amavis and spamd.
anything after a "permit" is skipped, so you can re-order if possible
the restrictions , there is no hard need to put "permit_mynetworks" on
top and if it is not possible with re-ordering consider a policy daemon
the following as example is wrong because "reject_non_fqdn_sender" and
"reject_non_fqdn_recipient" should be applied also for authenticated
users (a non fqdn rcpt happens often by mistake and would be delivered
with "mydomain" appened and there is no reason for a non-fq sender)
and that's just an example
>>> permit_sasl_authenticated,
>>> reject_non_fqdn_hostname,
>>> reject_non_fqdn_sender,
>>> reject_non_fqdn_recipient,
