Re: I think that thing smtpd_recipient_restrictions does not work

Fri, 21 Jan 2011 17:25:34 -0800 

On 1/21/2011 7:13 PM, Mike Morris wrote:

On 01/21/2011 04:56 PM, Noel Jones wrote:

On 1/21/2011 5:08 PM, Condor wrote:


Hello,
i have postfix 2.7.2 and i have problem with restrictions. I setup
smtpd_recipient_restrictions here is my main.cf config file:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    check_helo_access hash:/etc/postfix/helo_checks,
    check_sender_access hash:/etc/postfix/helo_checks,
    check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
    reject_unauth_destination,
    reject_invalid_hostname,
    reject_unauth_pipelining,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unlisted_sender,
    reject_rhsbl_client blackhole.securitysage.com,
    reject_rhsbl_sender blackhole.securitysage.com,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client blackholes.easynet.nl,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client proxies.blackholes.wirehub.net,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client dnsbl.njabl.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client multihop.dsbl.org,
    reject_rbl_client pbl.spamhaus.org,
    permit

That file pcre:/etc/postfix/recipient_checks.pcre contain:
/^\@/           550 Invalid address format.
/[!%\@].*\@/    550 This server disallows weird address syntax.
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/      OK
/^nobody\@/     REJECT


Don't escape the @ in pcre tables. ie:
/^nobody@/ REJECT  nobody isn't here.



Additionally, doesn't this configuration make the server in question an
open relay?  The recipient_checks.pcre file returns an OK when the RHS
of an email address is anything for an LHS of postmater, hostmaster, and
abuse, and it immediately precedes reject_unauth_destination in
smtpd_recipient_restrictions.



Yes, you're right.  reject_unauth_destination should be 
directly after permit_mynetworks, permit_sasl_authenticated.




What is the purpose of configuring recipient validation in such a
manner?  The OP would be better served by correctly configuring the
proper address classes.



It's not uncommon to whitelist role accounts before anti-UCE 
checks, and nothing wrong with using the same file to reject 
recipients that should never receive mail.  But the whitelist 
should always be *after* reject_unauth_destination.



  -- Noel Jones






















					Reply via email to