Martijn de Munnik wrote:
Hi List,
A script just screwed my main.cf of a backup mx. Unfortunately I don't
have a backup of the main.cf. I restored the main.cf but one thing is
still not working as before. The relay*_for_stevie files contain the
domains and emailaddresses which accept mail on stevie.youngguns.nl.
When I test the backup mx with an invalid domain I get an 5** error, but
if I test the backup mx an invalid address but valid domain I see they
messages is greylisted. Off course this should also be denied 5**.
What is wrong in this config?
Comments below...
receive_override_options = no_address_mappings
Not recommended unless you also have content_filter set.
relay_domains = hash:/etc/postfix/relaydomains_for_stevie
OK.
relay_recipient_maps = hash:/etc/postfix/relayaddresses_for_stevie
Good, you appear to have a list of valid recipients for your
relay_domains.
smtp_send_xforward_command = yes
This is usually set in specific master.cf services, not
main.cf. You don't usually want to send XFORWARD information
to the whole world.
smtpd_banner = Welkom bij $myhostname, stuur ook eens een kaartje!
This should be
= $myhostname ESTMP your text here
smtpd_client_connection_count_limit = 10
WARNING: The purpose of this feature is to limit abuse. It
must not be used to regulate legitimate mail traffic.
smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,
reject_rbl_client
blackholes.easynet.nl, reject_unauth_pipelining,
reject_unknown_client, permit
The easynet blacklist has been dead for years.
reject_unknown_client is a very strict check and is known to
reject legit mail. reject_unauth_pipelining probably doesn't
do any good here, but it won't hurt anything.
smtpd_data_restrictions = reject_unauth_pipelining
OK.
smtpd_delay_reject = yes
yes is the default. Don't change it.
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_hostname, reject_invalid_hostname, permit
OK.
smtpd_recipient_limit = 25
only if you have 25 or fewer users.
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
add here:
reject_unlisted_recipient
reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_invalid_hostname,
reject_unknown_recipient_domain, reject_rbl_client
zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client
psbl.surriel.com,
check_policy_service inet:127.0.0.1:2525 permit
reject_unauth_pipelining is not effective here.
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unauth_pipelining, permit
reject_unauth_pipelining is not effective here. I notice you
have several duplicated restrictions. No need to list things
such as reject_non_fqdn_sender more than once.
smtpd_soft_error_limit = 3
soft_bounce = no
unknown_local_recipient_reject_code = 450
Change this to 550 once postfix correctly recognizes valid
recipients.
-- Noel Jones
