Anti-spam relay with local users too

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Anti-spam relay with local users too

M. Rodrigo Monteiro
Hello all.

It has been a while since my last touch with Postfix, so I need your help.
I'm using this guide http://wanderingbarque.com/howtos/mailserver/mailserver.html to have Postfix + Dovecot + SASL + OpenLDAP + Jamm.
The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm configuring Postfix to have some anti-spam features (anti-virus and so later).
What I want to do with Postfix for now is:
1) When receiving e-mail
1.1) If it's not a local domain, and it's in transport_maps, relay to another server
1.2) If it's a local domain, check for a list of valid local users, and reject if a user don't exist.
1.3) If it's not local/transport_maps domain, reject.
2) When sending e-mail
2.1) If it's to a local domain, deliver it locally
2.2) If it's to a domain in transport_maps, send to another server
2.2) If it's not to local/transport_maps domain, send to the internet

Please help with all this configuration, because I'm blind with all the changes that I made it in the main.cf.
With my configuration now, when I send an e-mail to an user in the transport_map domain, the e-mail is rejected by "Recipient address rejected: User unknown in relay recipient table". Sending locally/Internet is ok.

The SO is Debian Etch (updated), with all compiled packages from source.

# postconf mail_version
mail_version = 2.5.2

# postconf -n
alias_database =
alias_maps = $alias_database
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /etc/postfix/html
inet_interfaces = $myhostname, localhost
local_recipient_maps = ldap:accounts, ldap:aliases
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 1d
message_size_limit = 10485760
mydestination =
mydomain = XXXXXX.ce.gov.br
myhostname = testemail.XXXXXX.ce.gov.br
mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32
mynetworks_style = host
myorigin = [hidden email]
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /etc/postfix/readme
relay_domains = $transport_maps
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtpd_recipient_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
_recipient,    reject_unknown_sender_domain,    reject_unknown_recipient_domain,    reject_unauth_pipelining,    reject_multi
_recipient_bounce,    reject_unauth_destination,    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
transport_maps = hash:/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:aliases
virtual_gid_maps = static:200
virtual_mailbox_base = /home/vmail/domains
virtual_mailbox_domains = ldap:domains
virtual_mailbox_maps = ldap:accounts
virtual_minimum_uid = 200
virtual_transport = virtual
virtual_uid_maps = static:200


Regards,
Rodrigo.


--
M. Rodrigo Monteiro
[hidden email]
"Free as in Freedom, not free as in free beer"
Linux User # 403730
Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

Brian Evans - Postfix List
M. Rodrigo Monteiro wrote:

> Hello all.
>
> It has been a while since my last touch with Postfix, so I need your help.
> I'm using this guide
> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have
> Postfix + Dovecot + SASL + OpenLDAP + Jamm.
> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
> configuring Postfix to have some anti-spam features (anti-virus and so
> later).
> What I want to do with Postfix for now is:
> 1) When receiving e-mail
> 1.1) If it's not a local domain, and it's in transport_maps, relay to
> another server
This is not the purpose of transport_maps feature.  transport_maps is a
redirect using what you say instead of a DNS lookup for the MX (though
it still may incur a DNS lookup)
Are these a controlled list of domains and users?  Look into
relay_domains AND relay_recipient_maps.  Never relay blindly.
> 1.2) If it's a local domain, check for a list of valid local users,
> and reject if a user don't exist.
> 1.3) If it's not local/transport_maps domain, reject.
This is default behavior.

> 2) When sending e-mail
> 2.1) If it's to a local domain, deliver it locally
> 2.2) If it's to a domain in transport_maps, send to another server
> 2.2) If it's not to local/transport_maps domain, send to the internet
>
> Please help with all this configuration, because I'm blind with all
> the changes that I made it in the main.cf <http://main.cf>.
> With my configuration now, when I send an e-mail to an user in the
> transport_map domain, the e-mail is rejected by "Recipient address
> rejected: User unknown in relay recipient table". Sending
> locally/Internet is ok.
>
> The SO is Debian Etch (updated), with all compiled packages from source.
>
> # postconf mail_version
> mail_version = 2.5.2
>
> # postconf -n
> alias_database =
> alias_maps = $alias_database
> bounce_queue_lifetime = 1d
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = /etc/postfix/html
> inet_interfaces = $myhostname, localhost
> local_recipient_maps = ldap:accounts, ldap:aliases
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> maximal_queue_lifetime = 1d
This is very short, DNS temp failures may take 48 hours to correct..
> message_size_limit = 10485760
> mydestination =
> mydomain = XXXXXX.ce.gov.br <http://XXXXXX.ce.gov.br>
> myhostname = testemail.XXXXXX.ce.gov.br
> <http://testemail.XXXXXX.ce.gov.br>
> mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32
> mynetworks_style = host
> myorigin = [hidden email]
> <mailto:[hidden email]>
myorigin should be a machine not an address.  Use the default,
$myhostname, if unsure.
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /etc/postfix/readme
> relay_domains = $transport_maps
Um.. don't do this.
It is much better to have a separate map file because transport_maps MAY
list domains in any direction and may be for internal use in your future.

> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_sasl_auth_enable = no
> smtpd_recipient_restrictions = permit_mynetworks,    
> permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
> _recipient,    reject_unknown_sender_domain,    
> reject_unknown_recipient_domain,    reject_unauth_pipelining,    
> reject_multi
> _recipient_bounce,    reject_unauth_destination,    permit
Highly suggested to move reject_unauth_destination to just after
permit_sasl_authenticated.
This keeps you safe from open relay if you add rules in the future
before it.
Also, it's a very inexpensive check compared to some others you have listed.
Consider using check_rbl_client zen.spamhaus.org in there near the end
too or a policy service such as policyd-weight or postfwd to score hosts.

> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:aliases
> virtual_gid_maps = static:200
> virtual_mailbox_base = /home/vmail/domains
> virtual_mailbox_domains = ldap:domains
> virtual_mailbox_maps = ldap:accounts
> virtual_minimum_uid = 200
> virtual_transport = virtual
> virtual_uid_maps = static:200
>
>
> Regards,
> Rodrigo.
>
>
> --
> M. Rodrigo Monteiro
> [hidden email] <mailto:[hidden email]>
> "Free as in Freedom, not free as in free beer"
> Linux User # 403730

Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

M. Rodrigo Monteiro
2008/7/22 Brian Evans - Postfix List <[hidden email]>:

> M. Rodrigo Monteiro wrote:
>>
>> Hello all.
>>
>> It has been a while since my last touch with Postfix, so I need your help.
>> I'm using this guide
>> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have Postfix
>> + Dovecot + SASL + OpenLDAP + Jamm.
>> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
>> configuring Postfix to have some anti-spam features (anti-virus and so
>> later).
>> What I want to do with Postfix for now is:
>> 1) When receiving e-mail
>> 1.1) If it's not a local domain, and it's in transport_maps, relay to
>> another server
>
> This is not the purpose of transport_maps feature.  transport_maps is a
> redirect using what you say instead of a DNS lookup for the MX (though it
> still may incur a DNS lookup)
> Are these a controlled list of domains and users?  Look into relay_domains
> AND relay_recipient_maps.  Never relay blindly.
>>
>> 1.2) If it's a local domain, check for a list of valid local users, and
>> reject if a user don't exist.
>> 1.3) If it's not local/transport_maps domain, reject.
>
> This is default behavior.
>>
>> 2) When sending e-mail
>> 2.1) If it's to a local domain, deliver it locally
>> 2.2) If it's to a domain in transport_maps, send to another server
>> 2.2) If it's not to local/transport_maps domain, send to the internet
>>
>> Please help with all this configuration, because I'm blind with all the
>> changes that I made it in the main.cf <http://main.cf>.
>> With my configuration now, when I send an e-mail to an user in the
>> transport_map domain, the e-mail is rejected by "Recipient address rejected:
>> User unknown in relay recipient table". Sending locally/Internet is ok.
>>
>> The SO is Debian Etch (updated), with all compiled packages from source.
>>
>> # postconf mail_version
>> mail_version = 2.5.2
>>
>> # postconf -n
>> alias_database =
>> alias_maps = $alias_database
>> bounce_queue_lifetime = 1d
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> home_mailbox = Maildir/
>> html_directory = /etc/postfix/html
>> inet_interfaces = $myhostname, localhost
>> local_recipient_maps = ldap:accounts, ldap:aliases
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq
>> manpage_directory = /usr/local/man
>> maximal_queue_lifetime = 1d
>
> This is very short, DNS temp failures may take 48 hours to correct..
>>
>> message_size_limit = 10485760
>> mydestination =
>> mydomain = XXXXXX.ce.gov.br <http://XXXXXX.ce.gov.br>
>> myhostname = testemail.XXXXXX.ce.gov.br
>> <http://testemail.XXXXXX.ce.gov.br>
>> mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32
>> mynetworks_style = host
>> myorigin = [hidden email]
>> <mailto:[hidden email]>
>
> myorigin should be a machine not an address.  Use the default, $myhostname,
> if unsure.
>>
>> newaliases_path = /usr/bin/newaliases
>> queue_directory = /var/spool/postfix
>> readme_directory = /etc/postfix/readme
>> relay_domains = $transport_maps
>
> Um.. don't do this.
> It is much better to have a separate map file because transport_maps MAY
> list domains in any direction and may be for internal use in your future.
>>
>> relay_recipient_maps = hash:/etc/postfix/relay_recipients
>> sample_directory = /etc/postfix
>> sendmail_path = /usr/sbin/sendmail
>> setgid_group = postdrop
>> smtp_sasl_auth_enable = no
>> smtpd_recipient_restrictions = permit_mynetworks,
>>  permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
>> _recipient,    reject_unknown_sender_domain,
>>  reject_unknown_recipient_domain,    reject_unauth_pipelining,
>>  reject_multi
>> _recipient_bounce,    reject_unauth_destination,    permit
>
> Highly suggested to move reject_unauth_destination to just after
> permit_sasl_authenticated.
> This keeps you safe from open relay if you add rules in the future before
> it.
> Also, it's a very inexpensive check compared to some others you have listed.
> Consider using check_rbl_client zen.spamhaus.org in there near the end too
> or a policy service such as policyd-weight or postfwd to score hosts.
>>
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain =
>> smtpd_sasl_security_options = noanonymous
>> transport_maps = hash:/etc/postfix/transport_maps
>> unknown_local_recipient_reject_code = 550
>> virtual_alias_maps = ldap:aliases
>> virtual_gid_maps = static:200
>> virtual_mailbox_base = /home/vmail/domains
>> virtual_mailbox_domains = ldap:domains
>> virtual_mailbox_maps = ldap:accounts
>> virtual_minimum_uid = 200
>> virtual_transport = virtual
>> virtual_uid_maps = static:200
>>
>>
>> Regards,
>> Rodrigo.
>>
>>
>> --
>> M. Rodrigo Monteiro
>> [hidden email] <mailto:[hidden email]>
>> "Free as in Freedom, not free as in free beer"
>> Linux User # 403730
>
>

Ok.
Now, when I don't have the relayhost = gateway, I can send e-mail to
the internet.
But when I set it, I get the "Relay access denied" message.

relayhost = XXX.XXX.XXX.XXX
relay_recipient_maps = hash:/etc/postfix/relay_recipients_maps
relay_domains = hash:/etc/postfix/relay_domains
transport_maps = hash:/etc/postfix/transport_maps


relayhost = internal_server

# cat relay_recipients_maps
@internal.domain.not.local OK
[hidden email] OK

# cat relay_domains
internal.domain.not.local OK

# cat transport_maps
internal.domain.not.local smtp:internal_server

What's wrong?


Thanks,
Rodrigo

--
M. Rodrigo Monteiro
[hidden email]
"Free as in Freedom, not free as in free beer"
Linux User # 403730
Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

Brian Evans - Postfix List
M. Rodrigo Monteiro wrote:

>
> Ok.
> Now, when I don't have the relayhost = gateway, I can send e-mail to
> the internet.
> But when I set it, I get the "Relay access denied" message.
>
> relayhost = XXX.XXX.XXX.XXX
> relay_recipient_maps = hash:/etc/postfix/relay_recipients_maps
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/transport_maps
>
>
> relayhost = internal_server
>  
relayhost is where to route ALL non-local mail that is *not* contained
in transport_maps or other defined transports.

You should not set it unless you need to relay through your ISP or other
mail provider for non-local/internet mail.
If you *do* need it, read, and post if you don't understand, the entire
error message unmodified from the logs (obscure IPs and domains if you
like).

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

mouss-2
In reply to this post by M. Rodrigo Monteiro
M. Rodrigo Monteiro wrote:
> [snip]
>
> Ok.
> Now, when I don't have the relayhost = gateway, I can send e-mail to
> the internet.
> But when I set it, I get the "Relay access denied" message.

The relayhost is supposed to accept relayin _all_ mail from you.

if it's not the case, do not use the host as a relay host. instead use
transport_maps so that only selected domains are passed to the relay.

>
> relayhost = XXX.XXX.XXX.XXX
> relay_recipient_maps = hash:/etc/postfix/relay_recipients_maps
> relay_domains = hash:/etc/postfix/relay_domains
> transport_maps = hash:/etc/postfix/transport_maps
>
>
> relayhost = internal_server
>
> # cat relay_recipients_maps
> @internal.domain.not.local OK

this breaks recipient validation: all addresses
*@internal.domain.not.local will be accepted by postfix. make sure they
are accepted by the final server (otherwise, you'll generate bounces and
become a backscatter source. google for backscatter if you don't
understand what this means).

> [hidden email] OK
>
> # cat relay_domains
> internal.domain.not.local OK
>
> # cat transport_maps
> internal.domain.not.local smtp:internal_server
>
> What's wrong?
>
>
> Thanks,
> Rodrigo
>

Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

M. Rodrigo Monteiro
In reply to this post by Brian Evans - Postfix List
Hi.

2008/7/22 Brian Evans - Postfix List <[hidden email]>:

>
> relayhost is where to route ALL non-local mail that is *not* contained in
> transport_maps or other defined transports.
>
> You should not set it unless you need to relay through your ISP or other
> mail provider for non-local/internet mail.
> If you *do* need it, read, and post if you don't understand, the entire
> error message unmodified from the logs (obscure IPs and domains if you
> like).
>
> Brian
>


Let me explain better what I want.

I wanna know how to configure this 2 situations:

1) Postfix with local domains (domain-local.com) and subdomains,
receiving e-mail and checking a list for local users (rejecting if the
users is unknown), and relaying (smarthost) to an qmail
(domain-qmail.com)
2) Same as 1, but qmail won't be the smarthost, only relay the domains
that is for domain-qmail.com


Config 1:
relayhost = [domain-qmail-IP]
relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps

# cat relay_recipients_map
[hidden email] OK
[hidden email] OK

What more should I need?
With this, I get the "Relay access denied" whenever I send an e-mail
to domain-qmail or to the internet.

--
M. Rodrigo Monteiro
[hidden email]
"Free as in Freedom, not free as in free beer"
Linux User # 403730
Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

Brian Evans - Postfix List
M. Rodrigo Monteiro wrote:

> Hi.
>
> 2008/7/22 Brian Evans - Postfix List <[hidden email]>:
>  
>> relayhost is where to route ALL non-local mail that is *not* contained in
>> transport_maps or other defined transports.
>>
>> You should not set it unless you need to relay through your ISP or other
>> mail provider for non-local/internet mail.
>> If you *do* need it, read, and post if you don't understand, the entire
>> error message unmodified from the logs (obscure IPs and domains if you
>> like).
>>
>> Brian
>>
>>    
>
>
> Let me explain better what I want.
>
> I wanna know how to configure this 2 situations:
>
> 1) Postfix with local domains (domain-local.com) and subdomains,
> receiving e-mail and checking a list for local users (rejecting if the
> users is unknown), and relaying (smarthost) to an qmail
> (domain-qmail.com)
> 2) Same as 1, but qmail won't be the smarthost, only relay the domains
> that is for domain-qmail.com
>
>
> Config 1:
> relayhost = [domain-qmail-IP]
> relay_recipient_maps = hash:/etc/postfix/relay_recipient_maps
>
> # cat relay_recipients_map
> [hidden email] OK
> [hidden email] OK
>
> What more should I need?
> With this, I get the "Relay access denied" whenever I send an e-mail
> to domain-qmail or to the internet.
>
>  
If you only want to relay to an internal machine, do what I list above
and adjust how mouss pointed out.

Your case should *not* set relayhost.  Do not confuse relayhost and
transport_maps features.  Setting one does not require the other.
You *only* should set relayhost if your ISP blocks port 25 access to the
internet *or* an internal smtpd pointing to an external sending smtpd
that you control.
Setting NO relayhost simply means mail will be delivered directly as per
the DNS MX records from the machine.  transport_maps will take
precedence over DNS and relayhost.

You want to set the relay_domains for your other smtp server, with maps
that point to users *not* wild cards (use mysql, ldap, or other db for
more scaling updates if needed).
Then, set a *single* transport_maps for that internal server which
Postfix is smart hosting.

If the relayed server sends *back* through the Postfix machine, you can
set the IP in mynetworks if you trust them not to send spam.

Brian

Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

mouss-2
In reply to this post by mouss-2
M. Rodrigo Monteiro wrote:

> Hi.
>
> 2008/7/22 mouss <[hidden email]>:
>> The relayhost is supposed to accept relayin _all_ mail from you.
>>
>> if it's not the case, do not use the host as a relay host. instead use
>> transport_maps so that only selected domains are passed to the relay.
>>
>
> Yes, it's the case.
> I have 4 domains (with more 5 subdomains) locally and I relay e-mail
> to another server (internal) with about 100 domains (and subdomains).
> This another server is my relayhost too.
>

ok.


>> this breaks recipient validation: all addresses *@internal.domain.not.local
>> will be accepted by postfix. make sure they are accepted by the final server
>> (otherwise, you'll generate bounces and become a backscatter source. google
>> for backscatter if you don't understand what this means).
>>
>
> Yes, they will be accpted in the other server.
> But what if an e-mail arrivers to an unknown user in the other server,
> the first server relay to the other, and bounces back to Postfix. What
> will it do? Send again to the other server, or bounce to the original
> client (from)?

postfix will try to forward the message but the relay will reject it.
then postfix will generate a bounce to the (probably forged) sender.
thus the backscatter.

>
> BTW, this is my logs:
>
> To gmail.com (Rejected)
> Jul 22 14:54:42 XXXXX postfix/smtpd[15371]: connect from unknown[XXX.XXX.XXX.55]
> Jul 22 14:54:42 XXXXX postfix/smtpd[15371]: NOQUEUE: reject: RCPT from
> unknown[XXX.XXX.XXX.55]: 554 5.7.1 <[hidden email]>: Relay access
> denied; from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<[XXX.XXX.XXX.55]>
> Jul 22 14:54:44 XXXXX postfix/smtpd[15371]: disconnect from
> unknown[XXX.XXX.XXX.55]

relay was rejected because XXX.XXX.XXX.55 is not in mynetworks and did
not authenticate. if XXX.XXX.XXX.55 is an internal machine that should
be able to relay without authentication, then add it to mynetworks.

>
> [snip]
>

Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

Sandy Drobic-2
In reply to this post by M. Rodrigo Monteiro
M. Rodrigo Monteiro wrote:

> Hello all.
>
> It has been a while since my last touch with Postfix, so I need your help.
> I'm using this guide
> http://wanderingbarque.com/howtos/mailserver/mailserver.html to have
> Postfix + Dovecot + SASL + OpenLDAP + Jamm.
> The Dovecot part is ok, I can log in and send/recieve e-mail. Now I'm
> configuring Postfix to have some anti-spam features (anti-virus and so
> later).
> What I want to do with Postfix for now is:
> 1) When receiving e-mail
> 1.1) If it's not a local domain, and it's in transport_maps, relay to
> another server
> 1.2) If it's a local domain, check for a list of valid local users, and
> reject if a user don't exist.
> 1.3) If it's not local/transport_maps domain, reject.
> 2) When sending e-mail
> 2.1) If it's to a local domain, deliver it locally
> 2.2) If it's to a domain in transport_maps, send to another server
> 2.2) If it's not to local/transport_maps domain, send to the internet

Most of what you want is already default unless you mess up the configuration.

> Please help with all this configuration, because I'm blind with all the
> changes that I made it in the main.cf <http://main.cf>.
> With my configuration now, when I send an e-mail to an user in the
> transport_map domain, the e-mail is rejected by "Recipient address
> rejected: User unknown in relay recipient table". Sending
> locally/Internet is ok.
>
> The SO is Debian Etch (updated), with all compiled packages from source.
>
> # postconf mail_version
> mail_version = 2.5.2
>
> # postconf -n
> alias_database =
> alias_maps = $alias_database
> bounce_queue_lifetime = 1d
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = /etc/postfix/html
> inet_interfaces = $myhostname, localhost
> local_recipient_maps = ldap:accounts, ldap:aliases

Okay, but...

> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> maximal_queue_lifetime = 1d

Very short. Just imagine that the admin of the remote server leaves office
friday afternoon, the server breaks down shortly afterwards and won't be
restartet until monday morning. This isn't that unusual. To cover outages over
the weekend I recommend to set the queue lifetime to at least three days.

> message_size_limit = 10485760
> mydestination =

...your local domains are empty, so local_recipient_maps will never be evaluated.

> mydomain = XXXXXX.ce.gov.br <http://XXXXXX.ce.gov.br>
> myhostname = testemail.XXXXXX.ce.gov.br <http://testemail.XXXXXX.ce.gov.br>
> mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32
> mynetworks_style = host
> myorigin = [hidden email] <mailto:[hidden email]>
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /etc/postfix/readme
> relay_domains = $transport_maps

I often have to set a specific transport for remote domains when one of the
remote mx is broken and refuses valid recipients. In that case you suddenly
accept mails for a foreign domain.

> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtp_sasl_auth_enable = no
> smtpd_recipient_restrictions = permit_mynetworks,    
> permit_sasl_authenticated,    reject_non_fqdn_sender,    reject_non_fqdn
> _recipient,    reject_unknown_sender_domain,    
> reject_unknown_recipient_domain,    reject_unauth_pipelining,    
> reject_multi
> _recipient_bounce,    reject_unauth_destination,    permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = ldap:aliases
> virtual_gid_maps = static:200
> virtual_mailbox_base = /home/vmail/domains
> virtual_mailbox_domains = ldap:domains
> virtual_mailbox_maps = ldap:accounts
> virtual_minimum_uid = 200
> virtual_transport = virtual
> virtual_uid_maps = static:200

Have a look at the classes of domains that Postfix knows and for what purposes
they are meant:
http://www.postfix.org/ADDRESS_CLASS_README.html

--
Sandy

List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
Reply | Threaded
Open this post in threaded view
|

Re: Anti-spam relay with local users too

M. Rodrigo Monteiro
Thanks for all the answers...
I'll try to setup now. If something happens, I let you guys know :)


--
M. Rodrigo Monteiro
[hidden email]
"Free as in Freedom, not free as in free beer"
Linux User # 403730