On Tue, Mar 17, 2015 at 05:11:33PM +0000, Mick wrote:
> To comply with RFC2142 and always accept mail destined for abuse or
> postmaster, the role account exceptions would have to be top of
> smtpd_recipient_restrictions, but should I bother to comply with mail
> servers that don't conform to RFC2142 themselves? If I were to move the
> exception line to below unauth_destination, it would seem a bit pointless
> having the line there at all as the message would have already passed most
> of the tests.
The point is to exempt "postmaster" from anti-UCE rules, allowing
remote sites to report problems when they are blocked in error.
This is not an exemption from anti-relay rules.
Therefore, in Postfix <= 2.9, this goes after "reject_unauth_destination",
but before RBLs and the like. With Postfix >= 2.10, if you're
using "smtpd_relay_restrictions", you can order the recipient
restrictions however you like, and perhaps put the "postmaster"
whitelist first.
>
> smtpd_recipient_restrictions =
> ?#check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unknown_client_hostname,
> reject_invalid_helo_hostname,
> reject_unauth_pipelining,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> ?#check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
> reject_non_fqdn_hostname,
> reject_invalid_hostname,
> #check_helo_access hash:/etc/postfix/helo_checks,
> reject_unverified_sender,
> check_policy_service unix:private/policy-spf
>
> If anyone has any thoughts on this, they will be gladly received.
Most your reject rules are in the wrong place. Consider moving
your outbound esers to port 587 (for MUAs and null-clients) or a
dedicated outbound MTA when relaying for internal MTAs.
Otherwise:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
#reject_unknown_recipient_domain, -- port 587 only
#reject_unknown_client_hostname, -- too strict for most sites
reject_invalid_helo_hostname,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
#check_helo_access hash:/etc/postfix/helo_checks,
reject_unverified_sender,
check_policy_service unix:private/policy-spf
with any further adjustment based on further reading and matching
settings to your needs.
--
Viktor.
