----- Message from Viktor Dukhovni <postfix-us...@dukhovni.org> ---------
Date: Thu, 27 Apr 2017 13:01:16 -0400
From: Viktor Dukhovni <postfix-us...@dukhovni.org>
Reply-To: Postfix users <postfix-users@postfix.org>
Subject: Re: SASL auth only on port 25
To: Postfix users <postfix-users@postfix.org>
On Apr 27, 2017, at 12:45 PM, Simon Wilson <si...@simonandkate.net> wrote:
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/client_checks,
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/sender_access,
That check looks risky here. You're making access decisions based on
an easily spoofable sender address, prior to blocking relaying with
"reject_unauth_destination". That table had better not have any
OK entries, but in any case find some way to put this below
reject_unauth_destination.
Got it - because someone could potentially say "Hey I've got MAIL FROM
xxxxx@wherever" and if that email address is in that sender_access
file, they could then use my server as a relay, because the
'reject_unauth_destination' check has not been evaluated.
Thank you for the comment, I will rectify that.
Simon.
check_recipient_access hash:/etc/postfix/recipient_access.outside,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
check_policy_service unix:private/policy-spf
permit
--
Viktor.
--
Simon Wilson
M: 0400 12 11 16
