Hello,
I'm running Postfix 3.3. I'm thinking I've got an issue with my smtpd*
restrictions, either doing double work or not ordered right, or just
not optimized. Can someone take a look and see if anything stands out
as being off?
Thanks.
Dave.
master.cf (service excerpt):
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
-o tls_preempt_cipherlist=yes
main.cf (smtpd* restrictions):
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_reject_unlisted_sender = yes
show_user_unknown_table_name = no
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
# Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_helo_access hash:/usr/local/etc/postfix/helo_access,
,check_helo_access pcre:/usr/local/etc/postfix/helo_checks
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
# The below commented lines were commented to make outlook work
#reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
#reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
check_policy_service unix:private/dovecot-quota
# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
permit_mynetworks
check_client_access hash:/usr/local/etc/postfix/without_ptr
reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_helo_hostname
# The below lines were commented to make outlook work
#reject_non_fqdn_helo_hostname
#reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
# Restrictions for MUAs
#mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
#mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
#mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
