Hi all,
I have a Postfix/MailScanner front-end set up which works well, however
I'm not sure I've configured it correctly (or in the best way)...
The box uses header_checks to place all incoming messages in the hold
queue (standard stuff) and transport_maps define which mail server the
mail gets forwarded onto after scanning, per domain.
The difficulty I'm finding is maintaining a list of 'valid users' per
domain, so I can reject invalid recipients at SMTP level rather than
accepting all into the queue and being a potential source of backscatter.
The solution I've come up with is using "virtual_alias_maps".
The problem I'm finding is that I can not get it to work without having the remote
domain in $mydestination too. I understand the docs suggest that you
shouldn't have the remote domain in both $mydestination and
$virtual_alias_domains?
The configuration I have works but I don't fully understand why, and would
like to know if there's a better way?
Also, is there a way to enable recipient verification on a per-domain
basis? This is another idea I was considering.
I've included my 'postconf -n' output below
Many thanks for any suggestions,
Duncan Baxter
----
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 5d
config_directory = /etc/postfix
default_destination_concurrency_limit = 5
delay_warning_time = 4h
disable_vrfy_command = yes
fast_flush_domains =
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
initial_destination_concurrency = 2
mailbox_size_limit = 0
message_size_limit = 20480000
mydestination = $myhostname, /etc/postfix/relaydomains
myhostname = mail.richardsavage.org.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 212.87.xx.xxx/32
mynetworks_style = host
myorigin = /etc/mailname
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, cbl.abuseat.org
postscreen_dnsbl_threshold = 1
postscreen_greet_action = drop
postscreen_greet_banner =
postscreen_greet_wait = 3s
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = drop
postscreen_pipelining_enable = yes
readme_directory = no
recipient_delimiter =
relay_domains =
relayhost =
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 5
smtpd_client_event_limit_exceptions = 127.0.0.1
smtpd_client_message_rate_limit = 10
smtpd_client_recipient_rate_limit = 250
smtpd_client_restrictions = reject_unauth_pipelining,
reject_unknown_client_hostname
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_etrn_restrictions = reject
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname,
reject_invalid_helo_hostname, reject_non_fqdn_hostname,
reject_unauth_pipelining
smtpd_recipient_limit = 100
smtpd_recipient_overshoot_limit = 1
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_footer = For assistance, contact
supp...@quavey.co.uk.\nPlease provide the following information in your
problem report.\ntime ($localtime), client ($client_address), and server
($server_name).
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain
smtpd_soft_error_limit = 2
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 450
virtual_alias_domains = yes
virtual_alias_maps = hash:/etc/postfix/virtual_addresses
