On 10/31/2013 12:19 PM, John Allen wrote:
> Which is "better", to put the various restrictions with the appropriate
> smtpd_????_restriction stanzas, or to put them all into the
> smtpd_recipient_restrictions stanza. I am assuming that
> smtpd_delay_reject is yes.
>
> I have always assumed that putting them in one place had the advantage
> of allowing me to order the various restrictions as I wanted.
Use the EURR method - Everything Under Recipient Restrictions
for the reasons you state. Anything more than trivial whitelisting is a
PITA with the other method.
> postconf_output.txt
>
>
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> bounce_size_limit = 65536
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> default_process_limit = 20
> delay_warning_time = 12h
> disable_vrfy_command = yes
> header_size_limit = 32768
> home_mailbox = Maildir/
> html_directory = /usr/share/doc/postfix/html
> mailbox_transport = lmtp:unix:private/dovecot-lmtp
> message_size_limit = 3276800
> mydestination = localhost, localhost.localdomain, localdomain
> mydomain = klam.ca
> myhostname = smtp.$mydomain
> mynetworks = 127.0.0.0/8, 192.168.0.0/16, [::1]/128, [2001:470:b183:30::]/64
> myorigin = $mydomain
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relocated_maps = hash:/etc/postfix/maps/relocated
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous
> smtp_tls_cert_file = /root/ssl/certs/KLaM_Mail.pem
> smtp_tls_enforce_peername = no
> smtp_tls_key_file = /root/ssl/private/KLaM_Mail.key
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP
> smtpd_client_restrictions =
> smtpd_data_restrictions = reject_multi_recipient_bounce,
> reject_unauth_pipelining
> smtpd_error_sleep_time = 5s
> smtpd_etrn_restrictions = reject
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_limit = 128
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination, reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain, reject_unknown_recipient_domain,
> check_sender_access hash:/etc/postfix/maps/sender_checks,
> check_recipient_access pcre:/etc/postfix/maps/recipient_checks.pcre,
> check_recipient_access hash:/etc/postfix/maps/recipient_checks,
> check_helo_access pcre:/etc/postfix/maps/helo_checks.pcre,
> reject_rbl_client
> zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service
> inet:127.0.0.1:10023
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_path = private/dovecot-auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions =
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /root/ssl/certs/KLaM_Mail.pem
> smtpd_tls_key_file = /root/ssl/private/KLaM_Mail.key
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> virtual_alias_maps = pgsql:/etc/postfix/sql/valiases.sql
> virtual_mailbox_domains = pgsql:/etc/postfix/sql/vdomains.sql
> virtual_mailbox_maps = pgsql:/etc/postfix/sql/vmailbox.sql
> virtual_transport = lmtp:unix:private/dovecot-lmtp
>
