[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering

Fri Nov 19 15:36:39 CET 2010

Le vendredi 19 novembre 2010 à 08:35 +0100, Luca Berra a écrit :
+> On Thu, Nov 18, 2010 at 11:34:59PM +0100, root at mageia.org wrote:
+> >+<% if classes.include?('postfix::simple_relay') %>
+> > inet_interfaces = localhost
+> >+<% else %>
+> >+inet_interfaces = all
+> >+<% end %>
+> >+
+> >+<% if classes.include?('postfix::smtp_server') %>
+> you can safely add:
+> smtpd_etrn_restrictions = reject
+> you should add:
+> smtpd_helo_required = yes
+> if you do checks based on helo here
+
+I will merge your proposals, I just need to be more familiar with what
+they mean ( in case later some issue arise ). And i also likely need to
+update zarb and others servers too :)
+
+> >+smtpd_recipient_restrictions =
+> >+#    not done yet
+> >+#    permit_sasl_authenticated
+>
+> you should add
+> reject_sender_login_mismatch
+> and configure something like:
+> smtpd_sender_login_maps =
+> proxy:ldap:/etc/postfix/smtpd_sender_login_maps.cf
+> server_host = ldaps://
+> version = 3
+> search_base = dc=mageia,dc=org
+> query_filter = (|(mail=%s)(mailLocalAddress=%s))
+> # use this with groupOfNames to allow people to send on behalf of an
+> # alias (eg postmaster, abuse, etc)
+> #special_result_attribute = owner
+> result_attribute = uid
+
+Well, that's disabled because we are not sure we should offer it ( I
+took the config from zarb.org ).
+
+
+> >+    reject_non_fqdn_hostname
+> Note1: this restriction has been renamed in
+> reject_non_fqdn_helo_hostname
+
+> Note2: i reckon it as a bad idea, there are too many people unable to
+> properly configure their mta to send an fqdn helo
+
+That's what we use at zarb, so far no one complained ( obviously, maybe
+that's because we reject their mail ... )
+
+> i also have a number of possible additions, should i send those in?
+
+Yup, why not, I will integrate them later.  
+-- 
+Michael Scherer
+
+