Re: smtp authentication?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

Mauro Sanna
> put this later. you should not happily query my dns server if a spammer
> forges my address. put this after dnsbl checks.
> > reject_unknown_recipient_domain,    
> >  
>
> remove this  (last line).

Why?

>
> > reject_invalid_hostname,    
> > reject_non_fqdn_hostname,    
> > reject_unauth_destination,    
> > check_policy_service inet:127.0.0.1:60000    
> >  
>
> if your policy server returns defer_if_permit, then you should put it at
> last. if it returns defer, then it's ok.
>

By default it return defer_if_permit, then I should put it at the end of
all my ´╗┐smtpd_recipient_restrictions?
Also after all the reject_rbl_client?


Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

mouss-2
Mauro Sanna wrote:

>> put this later. you should not happily query my dns server if a spammer
>> forges my address. put this after dnsbl checks.
>>    
>>> reject_unknown_recipient_domain,    
>>>  
>>>      
>> remove this  (last line).
>>    
>
> Why?
>  

because you are only checking your own domains. this check is only
meaningful if also applied to "submitted" mail (before permit_mynetworks
and permit_sasl_authenticated).

note that you should move reject_uanth_destination just before other
rejects. The reason is that reject_unauth_destination is both safe (0
false positive) and cheap (no dns query). see below of a (slightly
modified) formulation of your restrictions.

>  
>>> reject_invalid_hostname,    
>>> reject_non_fqdn_hostname,    
>>> reject_unauth_destination,    
>>> check_policy_service inet:127.0.0.1:60000    
>>>  
>>>      
>> if your policy server returns defer_if_permit, then you should put it at
>> last. if it returns defer, then it's ok.
>>
>>    
>
> By default it return defer_if_permit, then I should put it at the end of
> all my ´╗┐smtpd_recipient_restrictions?
> Also after all the reject_rbl_client?
>  

yes. This avoids calling the policy server for mail that is rejected by
other checks (otherwise, your greylisting db will contain entries for
transactions that are rejected anyway).

here is a reformulation of your restrictions

smtpd_recipient_restrictions =
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination
        reject_invalid_hostname
        reject_non_fqdn_hostname  
        #consider enabling the two checks below before DNS checks
        #reject_unlisted_recipient
        #reject_unlisted_sender
        reject_unknown_sender_domain
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client dul.dnsbl.sorbs.net
        reject_rbl_client list.dsbl.org
        reject_rbl_client dnsbl.njabl.org
        check_policy_service inet:127.0.0.1:60000    


Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

Mauro Sanna
> here is a reformulation of your restrictions
>
> smtpd_recipient_restrictions =
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> permit_sasl_authenticated
> permit_mynetworks
> reject_unauth_destination
> reject_invalid_hostname
> reject_non_fqdn_hostname  
> #consider enabling the two checks below before DNS checks
> #reject_unlisted_recipient
>         #reject_unlisted_sender
> reject_unknown_sender_domain
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client dul.dnsbl.sorbs.net
> reject_rbl_client list.dsbl.org
> reject_rbl_client dnsbl.njabl.org
> check_policy_service inet:127.0.0.1:60000    
>

Thank you I have copy and paste this.
A question about reject_unlisted_recipient and reject_unlisted_sender:
In my main.cf I have smtpd_reject_unlisted_sender = yes.
It's the same?



Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

mouss-2
Mauro Sanna wrote:
>>    
>
> Thank you I have copy and paste this.
> A question about reject_unlisted_recipient and reject_unlisted_sender:
> In my main.cf I have smtpd_reject_unlisted_sender = yes.
> It's the same?
>  

the difference is that they would be checked after all restrictions. by
using them explictely in your restrictions, you chose when the check is
done. I personally prefer to minimize the load on innocent DNS servers
(when possible and adequate of course).



Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

Mauro Sanna
> > Thank you I have copy and paste this.
> > A question about reject_unlisted_recipient and reject_unlisted_sender:
> > In my main.cf I have smtpd_reject_unlisted_sender = yes.
> > It's the same?
> >  
>
> the difference is that they would be checked after all restrictions. by
> using them explictely in your restrictions, you chose when the check is
> done. I personally prefer to minimize the load on innocent DNS servers
> (when possible and adequate of course).
>
>
>
There's somthing wrong.
[hidden email] is not a mail account in my ldap database.
When it send mail if I put smtpd_reject_unlisted_sender = yes it is
rejected.
If I comment out this parameter and I put reject_unlisted_sender under
smtpd_recipient_restrictions it is not rejected.
Why?

Reply | Threaded
Open this post in threaded view
|

Re: smtp authentication?

mouss-2
Mauro Sanna wrote:

>>> Thank you I have copy and paste this.
>>> A question about reject_unlisted_recipient and reject_unlisted_sender:
>>> In my main.cf I have smtpd_reject_unlisted_sender = yes.
>>> It's the same?
>>>  
>>>      
>> the difference is that they would be checked after all restrictions. by
>> using them explictely in your restrictions, you chose when the check is
>> done. I personally prefer to minimize the load on innocent DNS servers
>> (when possible and adequate of course).
>>
>>
>>
>>    
> There's somthing wrong.
> [hidden email] is not a mail account in my ldap database.
> When it send mail if I put smtpd_reject_unlisted_sender = yes it is
> rejected.
> If I comment out this parameter and I put reject_unlisted_sender under
> smtpd_recipient_restrictions it is not rejected.
> Why?
>
>  

because the check is not reached if you transaction matches
    permit_mynetworks
    permit_sasl_authenticated

So keep the smtpd_reject_* parameter for such cases ("submitted" mail),
but put the reject_unlisted_* in place for "inbound" mail.