1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B294%5D%20-%20start%20to%20merge%20simple%20relay%2C%0A%09and%20add%09some%20basic%20antispam%20filtering&In-Reply-To=%3C20101119073554.GA25926%40maude.comedia.it%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000634.html">
<LINK REL="Next" HREF="000667.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering</H1>
<B>Luca Berra</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B294%5D%20-%20start%20to%20merge%20simple%20relay%2C%0A%09and%20add%09some%20basic%20antispam%20filtering&In-Reply-To=%3C20101119073554.GA25926%40maude.comedia.it%3E"
TITLE="[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering">bluca at vodka.it
</A><BR>
<I>Fri Nov 19 08:35:54 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000634.html">[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
</A></li>
<LI>Next message: <A HREF="000667.html">[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#665">[ date ]</a>
<a href="thread.html#665">[ thread ]</a>
<a href="subject.html#665">[ subject ]</a>
<a href="author.html#665">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Thu, Nov 18, 2010 at 11:34:59PM +0100, <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">root at mageia.org</A> wrote:
><i>+<% if classes.include?('postfix::simple_relay') %>
</I>><i> inet_interfaces = localhost
</I>><i>+<% else %>
</I>><i>+inet_interfaces = all
</I>><i>+<% end %>
</I>><i>+
</I>><i>+<% if classes.include?('postfix::smtp_server') %>
</I>you can safely add:
smtpd_etrn_restrictions = reject
you should add:
smtpd_helo_required = yes
if you do checks based on helo here
><i>+smtpd_recipient_restrictions =
</I>><i>+# not done yet
</I>><i>+# permit_sasl_authenticated
</I>you should add
reject_sender_login_mismatch
and configure something like:
smtpd_sender_login_maps =
proxy:ldap:/etc/postfix/smtpd_sender_login_maps.cf
server_host = <A HREF="ldaps://">ldaps://</A>
version = 3
search_base = dc=mageia,dc=org
query_filter = (|(mail=%s)(mailLocalAddress=%s))
# use this with groupOfNames to allow people to send on behalf of an
# alias (eg postmaster, abuse, etc)
#special_result_attribute = owner
result_attribute = uid
><i>+ permit_mynetworks
</I>><i>+ reject_unauth_destination
</I>><i>+ reject_unauth_pipelining
</I>this one should not be here ^^^^
put it into smtpd_data_restrictions, eg:
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
><i>+ reject_non_fqdn_recipient
</I>this should go before every permit to be useful, it is not useful at all
after reject_unauth_destination.
><i>+ reject_non_fqdn_sender
</I>i'd move it above permits, if some script fails, fix it.
><i>+ reject_non_fqdn_hostname
</I>Note1: this restriction has been renamed in
reject_non_fqdn_helo_hostname
Note2: i reckon it as a bad idea, there are too many people unable to
properly configure their mta to send an fqdn helo
><i>+ reject_invalid_hostname
</I>Note: this restriction has been renamed in
reject_non_fqdn_helo_hostname
><i>+ reject_unknown_recipient_domain
</I>this one has no use after reject_unauth_destination
><i>+ reject_unknown_sender_domain
</I>><i>+ reject_unknown_client
</I>Note1: this restriction has been renamed in
reject_unknown_client_hostname
Note2: this is _very_ strong, it will do both reverse and forward ns
lookups and reject mail if they don't match, i have seen valid
setup that fail under this condition, is better to graylist these
you are missing
reject_unlisted_recipient
which should be setup together with
local_recipient_maps
and
relay_recipient_maps
i also have a number of possible additions, should i send those in?
L.
--
Luca Berra -- <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">bluca at vodka.it</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000634.html">[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
</A></li>
<LI>Next message: <A HREF="000667.html">[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#665">[ date ]</a>
<a href="thread.html#665">[ thread ]</a>
<a href="subject.html#665">[ subject ]</a>
<a href="author.html#665">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
