From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2010-November/000665.html | 131 ++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2010-November/000665.html (limited to 'zarb-ml/mageia-sysadm/2010-November/000665.html') diff --git a/zarb-ml/mageia-sysadm/2010-November/000665.html b/zarb-ml/mageia-sysadm/2010-November/000665.html new file mode 100644 index 000000000..0aee3396a --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000665.html @@ -0,0 +1,131 @@ + + + + [Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering + + + + + + + + + +

[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering

+ Luca Berra + bluca at vodka.it +
+ Fri Nov 19 08:35:54 CET 2010 +

+
+ +
On Thu, Nov 18, 2010 at 11:34:59PM +0100, root at mageia.org wrote:
+>+<% if classes.include?('postfix::simple_relay') %>
+> inet_interfaces = localhost
+>+<% else %>
+>+inet_interfaces = all
+>+<% end %>
+>+
+>+<% if classes.include?('postfix::smtp_server') %>
+you can safely add:
+smtpd_etrn_restrictions = reject
+you should add:
+smtpd_helo_required = yes
+if you do checks based on helo here
+>+smtpd_recipient_restrictions =
+>+#    not done yet
+>+#    permit_sasl_authenticated
+you should add
+reject_sender_login_mismatch
+and configure something like:
+smtpd_sender_login_maps =
+proxy:ldap:/etc/postfix/smtpd_sender_login_maps.cf
+server_host = ldaps://
+version = 3
+search_base = dc=mageia,dc=org
+query_filter = (|(mail=%s)(mailLocalAddress=%s))
+# use this with groupOfNames to allow people to send on behalf of an
+# alias (eg postmaster, abuse, etc)
+#special_result_attribute = owner
+result_attribute = uid
+
+>+    permit_mynetworks
+>+    reject_unauth_destination
+>+    reject_unauth_pipelining
+this one should not be here ^^^^
+put it into smtpd_data_restrictions, eg:
+smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
+>+    reject_non_fqdn_recipient
+this should go before every permit to be useful, it is not useful at all
+after reject_unauth_destination.
+>+    reject_non_fqdn_sender
+i'd move it above permits, if some script fails, fix it.
+>+    reject_non_fqdn_hostname
+Note1: this restriction has been renamed in
+reject_non_fqdn_helo_hostname
+Note2: i reckon it as a bad idea, there are too many people unable to
+properly configure their mta to send an fqdn helo
+>+    reject_invalid_hostname
+Note: this restriction has been renamed in
+reject_non_fqdn_helo_hostname
+>+    reject_unknown_recipient_domain
+this one has no use after reject_unauth_destination
+>+    reject_unknown_sender_domain
+>+    reject_unknown_client
+Note1: this restriction has been renamed in
+reject_unknown_client_hostname
+Note2: this is _very_ strong, it will do both reverse and forward ns
+lookups and reject mail if they don't match, i have seen valid
+setup that fail under this condition, is better to graylist these
+
+you are missing
+reject_unlisted_recipient
+which should be setup together with
+local_recipient_maps
+and
+relay_recipient_maps
+
+i also have a number of possible additions, should i send those in?
+
+L.
+
+-- 
+Luca Berra -- bluca at vodka.it
+
+ + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1