Viktor Dukhovni wrote:
On Tue, Mar 17, 2015 at 05:11:33PM +0000, Mick wrote:
To comply with RFC2142 and always accept mail destined for abuse or
postmaster, the role account exceptions would have to be top of
smtpd_recipient_restrictions, but should I bother to comply with mail
servers that don't conform to RFC2142 themselves? If I were to move the
exception line to below unauth_destination, it would seem a bit pointless
having the line there at all as the message would have already passed most
of the tests.
The point is to exempt "postmaster" from anti-UCE rules, allowing
remote sites to report problems when they are blocked in error.
This is not an exemption from anti-relay rules.
I see. That explains why the Book of Postfix shows the example after
'reject_unauth_destination' and why 'abuse@' and 'postmaster@' wild card
works when placed there.
Therefore, in Postfix <= 2.9, this goes after "reject_unauth_destination",
but before RBLs and the like. With Postfix >= 2.10, if you're
using "smtpd_relay_restrictions", you can order the recipient
restrictions however you like, and perhaps put the "postmaster"
whitelist first.
I on 2.9x as Debian wheezy has not yet upgraded. I know it can easily be
done via backport, but I won't.
smtpd_recipient_restrictions =
?#check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
......<snip>....
check_policy_service unix:private/policy-spf
If anyone has any thoughts on this, they will be gladly received.
Most your reject rules are in the wrong place. Consider moving
your outbound esers to port 587 (for MUAs and null-clients) or a
dedicated outbound MTA when relaying for internal MTAs.
Did I mention, I don't know my backport from my elbow ;-( . Currently my
limited users use port 445 or 587. 25 is available but so many ISPs
block it making it a waste of time for MUA use, especially on a portable
device. I know spf is not widely liked, but I implement it in full so if
the MU uses their own ISPs port 25, chances are message won't get
through in any case.
I haven't a clue about a running dedicated MTA for 445 and 587, and I'm
not asking how to do this yet. I have another 300 pages of the book to
get through first. Once I've got the full picture, I may try running
another instance of postfix as I'm thinking you are suggesting.
Otherwise:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
#reject_unknown_recipient_domain, -- port 587 only
#reject_unknown_client_hostname, -- too strict for most sites
reject_invalid_helo_hostname,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_invalid_hostname,
#check_helo_access hash:/etc/postfix/helo_checks,
reject_unverified_sender,
check_policy_service unix:private/policy-spf
with any further adjustment based on further reading and matching
settings to your needs.
Thank you for the above. I will adopt your revised restriction order.
Where I am in the book, it shows ;
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
above 'permit_mynetworks'.
I wrongly assumed having the above as is shown, this would prevent any
of the above attempting to log into SMTP. BUT, since running a test log
of SMTP parameters passed to a Perl script, I see that this has already
taken place before we get to the restrictions. I'm guessing now that
'permit_sasl_authenticated' provides a 'DUNNO' on a pass meaning other
rules below / to the right still get checked?
I am in your debt for pointing me towards the'Book of Postfix'. Instead
of having a constant headache due to banging my head against a search
engine brick wall, things are slowly starting to make sense. Long way to
go yet, but at least I'm crawling now.
Thanks,
Mick.