Re: only accept EHLO and I see that I refuse a lot of legitimate mail

[fakessh]

i reread the doc
i just changed this option

smtpd_tls_security_level = may



Le dimanche 24 avril 2011 22:53, Reindl Harald a écrit :
> what have "smtp_tls_note_starttls_offer" to do with EHLO/HELO
> and what have smtp_*-commands to do with receive?
>
> why you are using so complex EHLO-restrictions?
> the following should be enough!
>
> smtpd_helo_required  = yes
> smtpd_helo_restrictions = permit_mynetworks
>  reject_non_fqdn_helo_hostname
>  reject_invalid_helo_hostname
>  reject_unknown_helo_hostname
>
> Am 24.04.2011 22:37, schrieb fakessh:
> > I just changed this option
> >
> > smtp_tls_note_starttls_offer = may
> >
> > that it's OK or not OK
> >
> > thanks
> >
> > Le dimanche 24 avril 2011 22:10, fakessh a écrit :
> >> hello postfix guru
> >> hello Wieste and other develloper
> >>
> >>
> >> I already post a question asking for more.
> >>
> >> how to allow both HELO and EHLO. I currently only accept EHLO and I see
> >> that I refuse a lot of legitimate mail
> >>
> >>
> >> my postconf -n
> >>
> >> r13151 ~]# postconf -n
> >> alias_database = hash:/etc/aliases , hash:/etc/postfix/aliases
> >> alias_maps = hash:/etc/aliases , hash:/etc/postfix/aliases
> >> body_checks = regexp:/etc/postfix/body_checks.cf
> >> broken_sasl_auth_clients = yes
> >> command_directory = /usr/sbin
> >> config_directory = /etc/postfix
> >> content_filter = dkimproxy:[127.0.0.1]:10029
> >> daemon_directory = /usr/libexec/postfix
> >> data_directory = /var/lib/postfix
> >> debug_peer_level = 2
> >> default_privs = nobody
> >> default_rbl_reply = $rbl_code Service unavailable; $rbl_class
> >> [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
> >> double_bounce_sender = no
> >> header_checks = regexp:/etc/postfix/header_checks.cf
> >> home_mailbox = Maildir/
> >> html_directory = /usr/share/doc/postfix-2.7.3-documentation/html
> >> in_flow_delay = 10
> >> inet_interfaces = all
> >> inet_protocols = all
> >> local_recipient_maps = unix:passwd.byname $alias_maps
> >> mail_owner = postfix
> >> mail_spool_directory = /var/spool/mail
> >> mailbox_command = /usr/libexec/dovecot/dovecot-lda
> >> mailq_path = /usr/bin/mailq.postfix
> >> manpage_directory = /usr/share/man
> >> message_size_limit = 20480000
> >> milter_command_timeout = 30s
> >> milter_connect_macros = j {daemon_name} v
> >> milter_connect_timeout = 30s
> >> milter_content_timeout = 300s
> >> milter_data_macros = i
> >> milter_end_of_data_macros = i
> >> milter_end_of_header_macros = i
> >> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
> >> {cert_issuer}
> >> milter_macro_daemon_name = $myhostname
> >> milter_macro_v = $mail_name $mail_version
> >> milter_mail_macros = i {auth_type} {auth_authen} {auth_author}
> >> {mail_addr} milter_protocol = 2
> >> milter_rcpt_macros = i {rcpt_addr}
> >> milter_unknown_command_macros =
> >> mime_header_checks = regexp:/etc/postfix/mime_header_checks.cf
> >> mydestination = $myhostname , localhost.$mydomain, r13151.ovh.net
> >> mydomain = r13151.ovh.net
> >> mynetworks = 127.0.0.0/8 ,87.98.186.232 , [::1]/128 ,
> >> [2001:41D0:2:3Dd6::]/64 myorigin = $mydomain
> >> newaliases_path = /usr/bin/newaliases.postfix
> >> parent_domain_matches_subdomains =
> >> queue_directory = /var/spool/postfix
> >> queue_run_delay = 200s
> >> readme_directory = /usr/share/doc/postfix-2.7.3-documentation/readme
> >> recipient_delimiter = +
> >> relay_domains =
> >> sample_directory = /usr/share/doc/postfix-2.5.4/samples
> >> sendmail_path = /usr/sbin/sendmail.postfix
> >> setgid_group = postdrop
> >> smtp_sasl_security_options = noanonymous
> >> smtp_sasl_tls_security_options = noanonymous
> >> smtp_sender_dependent_authentication = yes
> >> smtp_tls_loglevel = 3
> >> smtp_tls_note_starttls_offer = yes
> >> smtp_tls_session_cache_database =
> >> btree:/var/lib/postfix/smtp_tls_session_cache
> >> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> >> smtpd_client_restrictions = permit_mynetworks
> >> reject_unknown_reverse_client_hostname reject_unauth_pipelining
> >> reject_non_fqdn_recipient check_client_access
> >> cidr:/etc/postfix/koreacidr.cidr check_client_access
> >> cidr:/etc/postfix/chinacidr.cidr check_helo_access
> >> hash:/etc/postfix/access_client check_helo_access
> >> hash:/etc/postfix/access_host  check_sender_access
> >> hash:/etc/postfix/access_client check_sender_access
> >> hash:/etc/postfix/access_host check_recipient_access
> >> hash:/etc/postfix/access_client check_recipient_access
> >> hash:/etc/postfix/access_host check_client_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_recipient_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_client_access
> >> pcre:/etc/postfix/ptr-tld.pcre check_client_access
> >> cidr:/etc/postfix/sinokorea.cidr check_client_access
> >> cidr:/etc/postfix/taiwancidr.cidr  check_client_access
> >> regexp:/etc/postfix/blacklist_clients  check_client_access
> >> cidr:/etc/postfix/asian-ip.cidr  reject_rbl_client relays.orbs.org
> >> check_client_access cidr:/etc/postfix/taiwanipblocksreject.cidr
> >> check_client_access cidr:/etc/postfix/IN_cidr.cidr check_client_access
> >> cidr:/etc/postfix/BR_cidr.cidr check_client_access
> >> cidr:/etc/postfix/CN_cidr.cidr check_client_access
> >> cidr:/etc/postfix/UA_cidr.cidr check_client_access
> >> cidr:/etc/postfix/TR_cidr.cidr  check_client_access
> >> cidr:/etc/postfix/VE_cidr.cidr check_client_access
> >> cidr:/etc/postfix/VN_cidr.cidr   permit
> >> smtpd_data_restrictions = reject_unauth_pipelining
> >> smtpd_helo_restrictions = permit_mynetworks check_helo_access
> >> cidr:/etc/postfix/koreacidr.cidr check_helo_access
> >> cidr:/etc/postfix/chinacidr.cidr check_helo_access
> >> hash:/etc/postfix/access_client check_helo_access
> >> hash:/etc/postfix/access_host  check_helo_access
> >> hash:/etc/postfix/access_client check_helo_access
> >> hash:/etc/postfix/access_host check_helo_access
> >> hash:/etc/postfix/access_client check_helo_access
> >> hash:/etc/postfix/access_host check_helo_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_helo_access
> >> pcre:/etc/postfix/ptr-tld.pcre check_helo_access
> >> cidr:/etc/postfix/sinokorea.cidr check_helo_access
> >> cidr:/etc/postfix/taiwancidr.cidr  check_helo_access
> >> regexp:/etc/postfix/blacklist_clients  check_helo_access
> >> cidr:/etc/postfix/asian-ip.cidr  check_helo_access
> >> cidr:/etc/postfix/taiwanipblocksreject.cidr  check_helo_access
> >> cidr:/etc/postfix/IN_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/BR_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/CN_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/UA_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/TR_cidr.cidr  check_helo_access
> >> cidr:/etc/postfix/VE_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/VN_cidr.cidr  reject_unauth_pipelining
> >> reject_invalid_hostname  permit
> >> smtpd_milters = unix:/var/spool/MIMEDefang/mimedefang.sock
> >> smtpd_recipient_restrictions = permit_mynetworks  permit_inet_interfaces
> >> permit_sasl_authenticated  reject_unverified_recipient
> >> reject_non_fqdn_sender reject_non_fqdn_recipient
> >> reject_unknown_sender_domain
> >> reject_unknown_recipient_domain reject_unknown_reverse_client_hostname
> >> reject_unauth_destination reject_unauth_pipelining reject_rbl_client
> >> zen.spamhaus.org reject_sender_login_mismatch check_policy_service
> >> unix:postgrey/socket reject_rhsbl_sender dbl.spamhaus.org
> >> reject_rbl_client bl.spamcop.net  reject_rbl_client cbl.abuseat.org 
> >> reject_rbl_client b.barracudacentral.org check_client_access
> >> hash:/etc/postfix/whitelist reject_rhsbl_helo dbl.spamhaus.org 
> >> reject_rhsbl_client dbl.spamhaus.org reject_unknown_helo_hostname
> >> reject_invalid_helo_hostname
> >> reject_non_fqdn_helo_hostname  check_client_access
> >> pcre:/etc/postfix/ptr-tld.pcre check_client_access
> >> cidr:/etc/postfix/sinokorea.cidr check_client_access
> >> cidr:/etc/postfix/taiwancidr.cidr  check_client_access
> >> regexp:/etc/postfix/blacklist_clients  check_client_access
> >> cidr:/etc/postfix/asian-ip.cidr  reject_rbl_client relays.orbs.org
> >> check_client_access cidr:/etc/postfix/IN_cidr.cidr check_client_access
> >> cidr:/etc/postfix/BR_cidr.cidr check_client_access
> >> cidr:/etc/postfix/CN_cidr.cidr check_client_access
> >> cidr:/etc/postfix/UA_cidr.cidr check_client_access
> >> cidr:/etc/postfix/TR_cidr.cidr  check_client_access
> >> cidr:/etc/postfix/VE_cidr.cidr check_client_access
> >> cidr:/etc/postfix/VN_cidr.cidr  check_client_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_sender_mx_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_recipient_mx_access
> >> cidr:/etc/postfix/perso_cidr.cidr  check_recipient_access
> >> cidr:/etc/postfix/perso_cidr.cidr check_helo_access
> >> cidr:/etc/postfix/perso_cidr.cidr  check_client_access
> >> hash:/etc/postfix/access_host check_recipient_mx_access
> >> hash:/etc/postfix/access_host check_sender_mx_access
> >> hash:/etc/postfix/access_host  check_client_access
> >> hash:/etc/postfix/access_client check_recipient_access
> >> hash:/etc/postfix/access_host check_recipient_access
> >> hash:/etc/postfix/access_client check_sender_access
> >> hash:/etc/postfix/access_host check_sender_access
> >> hash:/etc/postfix/access_client check_helo_access
> >> hash:/etc/postfix/access_host  check_helo_access
> >> hash:/etc/postfix/access_client  check_client_access
> >> cidr:/etc/postfix/chinacidr.cidr check_client_access
> >> cidr:/etc/postfix/koreacidr.cidr reject_rbl_client zen.spamhaus.org
> >> reject_rbl_client psbl.surriel.com reject_rhsbl_client dbl.spamhaus.org
> >> reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org
> >> check_policy_service unix:private/spfpolicy
> >> smtpd_reject_unlisted_sender = no
> >> smtpd_sasl_auth_enable = yes
> >> smtpd_sasl_authenticated_header = yes
> >> smtpd_sasl_local_domain = $myhostname
> >> smtpd_sasl_path = private/auth
> >> smtpd_sasl_type = dovecot
> >> smtpd_sender_restrictions = reject_unknown_sender_domain
> >> smtpd_tls_CAfile = /etc/pki/tls/certs/class3.crt
> >> smtpd_tls_ask_ccert = yes
> >> smtpd_tls_auth_only = yes
> >> smtpd_tls_cert_file = /etc/pki/tls/certs/r13151.ovh.net.cert
> >> smtpd_tls_key_file = /etc/pki/tls/private/r13151.ovh.net.key
> >> smtpd_tls_received_header = yes
> >> smtpd_tls_req_ccert = no
> >> smtpd_tls_security_level = may
> >> smtpd_tls_session_cache_database =
> >> btree:/var/lib/postfix/smtpd_tls_session_cache
> >> smtpd_use_tls = yes
> >> soft_bounce = no
> >> tls_random_source = dev:/dev/urandom
> >> unknown_local_recipient_reject_code = 550
> >> virtual_alias_domains = renelacroute.fr , nicolaspichot.fr , fakessh.eu
> >> virtual_alias_maps = hash:/etc/postfix/virtual
> >> virtual_transport = dovecot

-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7

pgpxfs2KdDoiH.pgp
Description: PGP signature