smtpd restrictions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

smtpd restrictions

David Mehler
Hello,

I'm running Postfix 3.3. I'm thinking I've got an issue with my smtpd*
restrictions, either doing double work or not ordered right, or just
not optimized. Can someone take a look and see if anything stands out
as being off?

Thanks.
Dave.

master.cf (service excerpt):
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
  -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_type=dovecot
 -o smtpd_sasl_path=private/auth
 -o smtpd_sasl_security_options=noanonymous
 -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 -o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
 -o tls_preempt_cipherlist=yes

main.cf (smtpd* restrictions):
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
 reject_non_fqdn_recipient
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination

smtpd_recipient_restrictions =
  permit_mynetworks
 permit_sasl_authenticated
  reject_unauth_destination
        check_helo_access hash:/usr/local/etc/postfix/helo_access,
        ,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
        ,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
 check_sender_access hash:/usr/local/etc/postfix/safe_addresses
 check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
 check_client_access cidr:/usr/local/etc/postfix/spamfarms
 check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
 check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
     permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
        check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
 reject_unknown_reverse_client_hostname
  reject_non_fqdn_sender
# The below commented lines were commented to make outlook work
 #reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 #reject_unknown_helo_hostname
 reject_unlisted_recipient
 reject_rhsbl_client dbl.spamhaus.org
 reject_rhsbl_sender dbl.spamhaus.org
 reject_rhsbl_helo dbl.spamhaus.org
  check_policy_service unix:private/spf-policy
 check_policy_service unix:private/dovecot-quota

# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
 permit_mynetworks
 check_client_access hash:/usr/local/etc/postfix/without_ptr
 reject_unknown_client_hostname

smtpd_helo_required = yes
smtpd_helo_restrictions =
 permit_mynetworks
 reject_invalid_helo_hostname
# The below lines were commented to make outlook work
 #reject_non_fqdn_helo_hostname
 #reject_unknown_helo_hostname

# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining

# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject