On 1/21/2011 7:13 PM, Mike Morris wrote:
On 01/21/2011 04:56 PM, Noel Jones wrote:
On 1/21/2011 5:08 PM, Condor wrote:
Hello,
i have postfix 2.7.2 and i have problem with restrictions. I setup
smtpd_recipient_restrictions here is my main.cf config file:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/helo_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_sender,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client pbl.spamhaus.org,
permit
That file pcre:/etc/postfix/recipient_checks.pcre contain:
/^\@/ 550 Invalid address format.
/[!%\@].*\@/ 550 This server disallows weird address syntax.
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/ OK
/^nobody\@/ REJECT
Don't escape the @ in pcre tables. ie:
/^nobody@/ REJECT nobody isn't here.
Additionally, doesn't this configuration make the server in question an
open relay? The recipient_checks.pcre file returns an OK when the RHS
of an email address is anything for an LHS of postmater, hostmaster, and
abuse, and it immediately precedes reject_unauth_destination in
smtpd_recipient_restrictions.
Yes, you're right. reject_unauth_destination should be
directly after permit_mynetworks, permit_sasl_authenticated.
What is the purpose of configuring recipient validation in such a
manner? The OP would be better served by correctly configuring the
proper address classes.
It's not uncommon to whitelist role accounts before anti-UCE
checks, and nothing wrong with using the same file to reject
recipients that should never receive mail. But the whitelist
should always be *after* reject_unauth_destination.
-- Noel Jones