Added a Check - Asking for a Review

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Added a Check - Asking for a Review

Carlwill
Today I downloaded Ralph Hildebrandt's Postfix example and used his
'check_helo_access' example in my configuration. I have not 'reloaded'
Postfix yet because I want to make sure that I did not add this in and
cause any redundant checks or worse, break something. Can you guys
please review my main.cf and tell me if I added this into the correct
sections / order?

Below is an output of my 'postconf -n'

*****START POSTCONF -N*****

address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamghost.com
myhostname = mail.iamghost.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
recipient_delimiter = +
relay_domains =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_unauth_pipelining,
reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
reject_unauth_destination,   reject_unlisted_recipient,
check_policy_service unix:postgrey/socket,   check_sender_access
 hash:/etc/postfix/sender_access,
check_helo_access pcre:/etc/postfix/helo_checks.pcre,
reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,    permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail.crt
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

*****END POSTCONF -N*****

As you can see I added the 'check_helo_access' in my
'smtpd_recipient_restrictions'. I was wondering if this was the
correct section in my main.cf for 'check_helo_access'? I thought this
would go in the 'smtpd_helo_restrictions' in my main.cf however I just
read in "The Book of Postfix" that this trigger applies to the
envelope recipient(s), sender, & the HELO/EHLO argument. To me that
makes it sound like all checks should be listed under
'smtpd_recipient_restrictions', no? Let me know what you think from my
Postfconf -n above and if it's not too much trouble, if anyone can
comment on my thoughts on why this particular trigger is listed under
the sections discussed in this paragraph. Thanks for any
clarification.
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Ralf Hildebrandt
* Carlos Williams <[hidden email]>:

> cause any redundant checks or worse, break something. Can you guys
why not use soft_bounce = yes :) ?

> check_helo_access pcre:/etc/postfix/helo_checks.pcre,
And what is the content of the file?

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Carlwill
On Wed, Jan 20, 2010 at 10:20 AM, Ralf Hildebrandt
<[hidden email]> wrote:
> why not use soft_bounce = yes :) ?

I have never used it before. That sounds like a good idea.

>> check_helo_access     pcre:/etc/postfix/helo_checks.pcre,
> And what is the content of the file?

[root@mail postfix]# cat helo_checks.pcre
/^localhost$/          550 Don't use my own domain (localhost)!
/^iamghost.\com$/          550 Don't use my own domain!
/^64\.95\.64\.198$/             550 Your spam was rejected because
you're forging my IP.
/^\[64\.95\.64\.198\]$/         550 Your spam was rejected because
you're forging my IP.
/^mail\.iamghost.\com$/      550 Don't use my own hostname!
/^[0-9.-]+$/                        550 Your software is not RFC 2821
compliant: EHLO/HELO must be a domain or an address-literal (IP
enclosed in []) - not a naked IP.

Beyond this file, does my main.cf file look correct to you?
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Ralf Hildebrandt
> /^localhost$/          550 Don't use my own domain (localhost)!
> /^iamghost.\com$/          550 Don't use my own domain!
> /^64\.95\.64\.198$/             550 Your spam was rejected because you're forging my IP.
> /^\[64\.95\.64\.198\]$/         550 Your spam was rejected because you're forging my IP.
> /^mail\.iamghost.\com$/      550 Don't use my own hostname!
> /^[0-9.-]+$/                        550 Your software is not RFC 2821
> compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP.
>
> Beyond this file, does my main.cf file look correct to you?

Looks OK.


I would merge:

smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_unauth_pipelining,
reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
reject_unauth_destination,   reject_unlisted_recipient,
check_policy_service unix:postgrey/socket,   check_sender_access
 hash:/etc/postfix/sender_access,
 check_helo_access       pcre:/etc/postfix/helo_checks.pcre,
 reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
 
into:

smtpd_helo_restrictions =
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_non_fqdn_helo_hostname,
   reject_invalid_helo_hostname
   check_policy_service unix:postgrey/socket,
   reject_unlisted_recipient,
   check_sender_access hash:/etc/postfix/sender_access,
   check_helo_access pcre:/etc/postfix/helo_checks.pcre,
   reject_rbl_client zen.spamhaus.org,  
   reject_rbl_client bl.spamcop.net

smtpd_data_restrictions =
   reject_unauth_pipelining,

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Carlwill
On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt
<[hidden email]> wrote:

> I would merge:
>
> smtpd_helo_restrictions = permit_mynetworks,
> permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname
>
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,   reject_unauth_pipelining,
> reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
> reject_unauth_destination,   reject_unlisted_recipient,
> check_policy_service unix:postgrey/socket,   check_sender_access
>  hash:/etc/postfix/sender_access,
>  check_helo_access       pcre:/etc/postfix/helo_checks.pcre,
>  reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
>
> into:

Thank you very much for your merge suggestion. I am reading your book
right now (page 70-72) and trying to understand the concept are the
merge suggestion. Would you mind explaining what benefit / performance
is attributed by merging all?

Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my
main.cf or should I omit that completely since there are no variables
for this trigger?

Thank you so much for your time and assistance!
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Tobi
Carlos Williams schrieb:

> On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt
> <[hidden email]> wrote:
>> I would merge:
>>
>> smtpd_helo_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
>> reject_invalid_helo_hostname
>>
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,   reject_unauth_pipelining,
>> reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
>> reject_unauth_destination,   reject_unlisted_recipient,
>> check_policy_service unix:postgrey/socket,   check_sender_access
>>  hash:/etc/postfix/sender_access,
>>  check_helo_access       pcre:/etc/postfix/helo_checks.pcre,
>>  reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
>>
>> into:
>
> Thank you very much for your merge suggestion. I am reading your book
> right now (page 70-72) and trying to understand the concept are the
> merge suggestion. Would you mind explaining what benefit / performance
> is attributed by merging all?
>
> Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my
> main.cf or should I omit that completely since there are no variables
> for this trigger?
>
> Thank you so much for your time and assistance!

For me it makes only sense to have seperate smtpd_helo and
smtp_recipient restrictions if you set smtpd_delay_reject to no. If set
yes the check will anyway be performed only when RCPT TO command is
received.
Furthermore at the time of HELO there is no SASL auth done yet. So this
setting does nothing there.
@Ralf
would it not make more sense to place check_sender_access before the
check_policy_service? Otherwise you might greylist senders you don't
want (like maillists)

Regards

tobi
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Ralf Hildebrandt
In reply to this post by Carlwill
* Carlos Williams <[hidden email]>:

> Thank you very much for your merge suggestion. I am reading your book
> right now (page 70-72) and trying to understand the concept are the
> merge suggestion. Would you mind explaining what benefit / performance
> is attributed by merging all?

It makes it easier to read :)
 
> Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my
> main.cf or should I omit that completely since there are no variables
> for this trigger?

That is the same :)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Ralf Hildebrandt
In reply to this post by Tobi
* tobi <[hidden email]>:

> @Ralf
> would it not make more sense to place check_sender_access before the
> check_policy_service? Otherwise you might greylist senders you don't
> want (like maillists)

I was thinking about this as well... Up to you I guess :)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

mouss-4
In reply to this post by Ralf Hildebrandt
Ralf Hildebrandt a écrit :
> * Carlos Williams <[hidden email]>:
>
>> Thank you very much for your merge suggestion. I am reading your book
>> right now (page 70-72) and trying to understand the concept are the
>> merge suggestion. Would you mind explaining what benefit / performance
>> is attributed by merging all?
>
> It makes it easier to read :)
>  

I generally do this:

- all anti-spam checks are under smtpd_recipient_restrictions
- other checks (such as enforcing sender-login match, restricting who
can send to some  addresses ...etc) go elsewhere.

This way, the latter can apply to all mail (even outbound mail) without
the risk of becoming an open relay...

>> Are you suggestion I leave 'smtpd_helo_restrictions =' blank on my
>> main.cf or should I omit that completely since there are no variables
>> for this trigger?
>
> That is the same :)
>

Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Carlwill
In reply to this post by Ralf Hildebrandt
On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt
<[hidden email]> wrote:

>> /^localhost$/                     550 Don't use my own domain (localhost)!
>> /^iamghost.\com$/                 550 Don't use my own domain!
>> /^64\.95\.64\.198$/             550 Your spam was rejected because you're forging my IP.
>> /^\[64\.95\.64\.198\]$/         550 Your spam was rejected because you're forging my IP.
>> /^mail\.iamghost.\com$/           550 Don't use my own hostname!
>> /^[0-9.-]+$/                        550 Your software is not RFC 2821
>> compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP.
>>
>> Beyond this file, does my main.cf file look correct to you?
>
> Looks OK.

Why did this email get through Postfix if my I followed Ralph's
example of helo_checks.pcre'? I posted my postconf -n previously in
this message and above you can see the contents of 'helo_checks.pcre'
& I would think this would prevent anyone from sending mail to my
Postfix server spoofing my domain in the headers. Am I wrong? I got
the following email this weekend:

Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from localhost (localhost.localdomain [127.0.0.1])
   by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6
   for <[hidden email]>; Sat, 27 Feb 2010 15:05:50 -0500 (EST)
X-Virus-Scanned: amavisd-new at iamghost.com
X-Spam-Flag: YES
X-Spam-Score: 7.457
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5
   tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
   RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
   RDNS_NONE=0.1] autolearn=no
Received: from mail.iamghost.com ([127.0.0.1])
   by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
   with LMTP id awUEbrkCfcvq for <[hidden email]>;
   Sat, 27 Feb 2010 15:05:50 -0500 (EST)
Received: from ambianceimports.com (unknown [89.204.40.160])
   by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
   for <[hidden email]>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
To: <[hidden email]>
Subject: ***SPAM*** Delivery Status Notification
From: Inez <[hidden email]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <[hidden email]>
Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST)

I thought this was the point of adding the 'helo_checks' but I think I
am missing something. Can anyone please help explain what I did wrong
or am missing? I think this email should have been prevented with:

/^iamghost\.com$/          550 Don't use my own domain

The headers of this email show the spammer spoofed this email to come
from '[hidden email]'.

*Below is my output of 'postconf -n':

address_verify_sender = $double_bounce_sender
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamghost.com
myhostname = mail.iamghost.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
recipient_delimiter = +
relay_domains =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,   reject_unauth_pipelining,
reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
reject_unauth_destination,   reject_unlisted_recipient,
check_policy_service unix:postgrey/socket,   check_sender_access
 hash:/etc/postfix/sender_access,
check_helo_access       pcre:/etc/postfix/helo_checks.pcre,
reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,     permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mail.crt
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Sahil Tandon
On Sun, 28 Feb 2010, Carlos Williams wrote:

> Received: from mail.iamghost.com ([127.0.0.1])
>    by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
>    with LMTP id awUEbrkCfcvq for <[hidden email]>;
>    Sat, 27 Feb 2010 15:05:50 -0500 (EST)
> Received: from ambianceimports.com (unknown [89.204.40.160])
>    by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
>    for <[hidden email]>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
>
> I thought this was the point of adding the 'helo_checks' but I think I
> am missing something. Can anyone please help explain what I did wrong
> or am missing? I think this email should have been prevented with:
>
> /^iamghost\.com$/          550 Don't use my own domain

Where in the headers do you see evidence that the spamming server tried
to HELO with iamghost.com?

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Added a Check - Asking for a Review

Noel Jones-2
In reply to this post by Carlwill
On 2/28/2010 2:26 PM, Carlos Williams wrote:

> On Wed, Jan 20, 2010 at 10:34 AM, Ralf Hildebrandt
> <[hidden email]>  wrote:
>>> /^localhost$/                     550 Don't use my own domain (localhost)!
>>> /^iamghost.\com$/                 550 Don't use my own domain!
>>> /^64\.95\.64\.198$/             550 Your spam was rejected because you're forging my IP.
>>> /^\[64\.95\.64\.198\]$/         550 Your spam was rejected because you're forging my IP.
>>> /^mail\.iamghost.\com$/           550 Don't use my own hostname!
>>> /^[0-9.-]+$/                        550 Your software is not RFC 2821
>>> compliant: EHLO/HELO must be a domain or an address-literal (IP enclosed in []) - not a naked IP.
>>>
>>> Beyond this file, does my main.cf file look correct to you?
>>
>> Looks OK.
>
> Why did this email get through Postfix if my I followed Ralph's
> example of helo_checks.pcre'? I posted my postconf -n previously in
> this message and above you can see the contents of 'helo_checks.pcre'
> &  I would think this would prevent anyone from sending mail to my
> Postfix server spoofing my domain in the headers. Am I wrong? I got
> the following email this weekend:
>
> Return-Path:<[hidden email]>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> Received: from localhost (localhost.localdomain [127.0.0.1])
>     by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6
>     for<[hidden email]>; Sat, 27 Feb 2010 15:05:50 -0500 (EST)
> X-Virus-Scanned: amavisd-new at iamghost.com
> X-Spam-Flag: YES
> X-Spam-Score: 7.457
> X-Spam-Level: *******
> X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5
>     tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
>     RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
>     RDNS_NONE=0.1] autolearn=no
> Received: from mail.iamghost.com ([127.0.0.1])
>     by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
>     with LMTP id awUEbrkCfcvq for<[hidden email]>;
>     Sat, 27 Feb 2010 15:05:50 -0500 (EST)
> Received: from ambianceimports.com (unknown [89.204.40.160])
>     by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
>     for<[hidden email]>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
> To:<[hidden email]>
> Subject: ***SPAM*** Delivery Status Notification
> From: Inez<[hidden email]>
> MIME-Version: 1.0
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> Message-Id:<[hidden email]>
> Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST)
>
> I thought this was the point of adding the 'helo_checks' but I think I
> am missing something. Can anyone please help explain what I did wrong
> or am missing? I think this email should have been prevented with:
>
> /^iamghost\.com$/          550 Don't use my own domain
>
> The headers of this email show the spammer spoofed this email to come
> from '[hidden email]'.

Learn to read the Received: headers.

Received: from helo_hostname (client_hostname [client.ip])
    by myname (Postfix) with SMTP id QUEUEID
    for <recipient>; date

(the "for <recipient>" part is omitted if there is more than
one recipient.)

Your check is for the helo_hostname, which is ambianceimports.com.

If you want to prevent your own domain as sender address in
outside mail, you'll need to add a check_sender_access map for
that.

   -- Noel Jones

>
> *Below is my output of 'postconf -n':
>
> address_verify_sender = $double_bounce_sender
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 20480000
> mydestination = $myhostname, $mydomain, mail.$mydomain
> mydomain = iamghost.com
> myhostname = mail.iamghost.com
> mynetworks = $config_directory/mynetworks
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> recipient_delimiter = +
> relay_domains =
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_security_level = may
> smtpd_banner = $myhostname ESMTP
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,
> permit_sasl_authenticated,    reject_non_fqdn_helo_hostname,
> reject_invalid_helo_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,   reject_unauth_pipelining,
> reject_non_fqdn_recipient,   reject_unknown_recipient_domain,
> reject_unauth_destination,   reject_unlisted_recipient,
> check_policy_service unix:postgrey/socket,   check_sender_access
>   hash:/etc/postfix/sender_access,
> check_helo_access       pcre:/etc/postfix/helo_checks.pcre,
> reject_rbl_client zen.spamhaus.org,   reject_rbl_client bl.spamcop.net
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated,    reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname,     permit
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/mail.crt
> smtpd_tls_key_file = /etc/ssl/mail.key
> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550