Hi,
Some time ago I posted my smtpd_recipient_restrictions because I was
having a problem with unauthorized relaying (basically I had become an
open relay!), and received some suggestions. However, I think there is
still a problem and I'm open to relaying.
I'm still using postfix-1.x, set up with two queues. As a side
question, is there going to be significant configuration changes to
upgrade to the current from 1.x?
Reading from a message in the second queue waiting to be delivered,
the source IP is not one from the pop-before-smtp database and is not
from the internal network. The destination is is a user at yahoo.com.
How could this happen? Below is the recipient restrictions from the
first instance:
smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_non_fqdn_recipient
permit_mynetworks
check_client_access hash:/etc/postfix/pop-before-smtp
reject_unauth_destination
reject_invalid_hostname
reject_non_fqdn_hostname
reject_unknown_sender_domain
# reject_unknown_recipient_domain
# reject_unauth_pipelining
check_client_access hash:/etc/postfix/client_checks
check_client_access pcre:/etc/postfix/client_checks.pcre
check_recipient_access pcre:/etc/postfix/recipient_checks
check_helo_access hash:/etc/postfix/helo_checks
check_sender_access hash:/etc/postfix/sender_checks
check_sender_access hash:/etc/postfix/disallow_my_domain
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre
maps_rbl_domains =
zen.spamhaus.org,
cbl.abuseat.org,
sbl.spamhaus.org,
pbl.spamhaus.org
disable_vrfy_command = yes
I've also tried to put the email address from the header "From:" into
client_checks to block them, and it does not appear to work.
check_client_access is a restriction on the regular header
information, not the envelope header, correct? Can someone help me to
clarify?
Any help greatly appreciated!
Thanks,
Alex
