Rob,
>"postconf mail_version"
Version: 2.6.6
>This is surely not what you want. You're talking about mail which
>comes from Google; they are not within your $mynetworks (or, if they
>are, you have very serious problems.
We use Google services for Mail and such, so we could discontinue our
use of Microsoft Exchange Servers.
My use of postfix
{Internal
Servers}---------->{Postfix}--------->{Firewall}---------->{Google MTA
Servers}
I am only allowing servers within my network to talk with the postfix
server. Our firewall(s) are also restricting external traffic to
postfix. My network statements are not blanket cidr statements but
allow only specific servers within our networks.
>This looks like a bad idea too. This says you will accept any mail
>with a permitting access(5) action for any recipient in your
>/etc/postfix/blacklist_recipient file, or any mail originating from
>$mynetworks, and ANY other mail will be rejected.
My goal using the statements
{Internal Servers}--->{Check recipient blacklist}>(false)>{check auth
networks}>(true)---->{ISP/Google MTA Servers}
\/ \/
(true)>message blocked (false)>message blocked
I am continuing to monitor our postfix servers but it seems with this
configuration I am blocking about 98% of the messages which were
bouncing due to known bad addresses. I wish I could stop it at the
server level but some of those applications are old, out of support or
the admin is lazy. I felt this was my best option to cut the number of
messages which are bounced
If there is a better method I am still open to it but this seems to be
working effectively.
Blake
On 03/11/2014 01:07 PM, /dev/rob0 wrote:
On Tue, Mar 11, 2014 at 10:47:42AM -0600, Blake wrote:
I have settled on the following configuration, but am still open
to ideas.
smtpd_relay_restrictions = permit_mynetworks, reject
This says, *if* you are using a version 2.10 or newer (you didn't
answer that question), that you will ONLY accept mail originating
from within $mynetworks, and ANY other mail will be rejected.
"postconf mail_version"
This is surely not what you want. You're talking about mail which
comes from Google; they are not within your $mynetworks (or, if they
are, you have very serious problems.)
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/blacklist_recipient, permit_mynetworks, reject
This looks like a bad idea too. This says you will accept any mail
with a permitting access(5) action for any recipient in your
/etc/postfix/blacklist_recipient file, or any mail originating from
$mynetworks, and ANY other mail will be rejected.
Postfix will do what you tell it to. If you tell it to reject all
mail, that's what you get.
I think Noel already referred you to the SMTPD_ACCESS_README, but
you're not understanding. EVERY restriction stage MUST resolve to
"dunno" or a permit action. If any stage results in "reject", the
mail is rejected.
