-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nils Vogels wrote:
> Stephen Warren wrote on 6-1-2007 19:54:
>> You should configure you SMTP server such that any email that has an
>> envelope sender in your domain(s) is rejected. Then, you need to enable
>> authenticated users to override this restriction, so your internal users
>> can still send out email via your mail servers (and only your mail
>> servers).
>>
> You wouldn't happen to have a recipe for postfix to do that lying
> around, would you ? ;)
Sure!
To prevent people forging your domain in the envelope sender, whilst
sending mail to you, do this:
/etc/postfix/main.cf
====================
smtpd_sender_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/access_backup_mx,
check_client_access hash:/etc/postfix/access_ok_to_spoof_domain,
check_sender_access hash:/etc/postfix/access_sender,
reject_non_fqdn_sender,
reject_unknown_sender_domain
====================
/etc/postfix/access_backup_mx
====================
# List all possible backup MX hosts here.
# We can't run SPF for them, since the client IP will be wrong.
1.2.3.4 OK
====================
/etc/postfix/access_ok_to_spoof_domain
====================
# List all possible systems (other than backup MX)
# that can send email *from* our domain,
# without going through our servers
#
# Can't reconfigure BB devices to send through our servers
blackberry.com OK
# They maintain Exchange server based mailing lists which
# we both send to a receive email from, and Exchange doesn't
# rewrite envelope sender for the lists...
our-customer.com OK
ourcustomer.com OK
====================
/etc/postfix/access_sender
====================
# Any sender using a local address is either a spammer or clueless.
# All legitimate local senders must relay mail through TMDA-OFMIPD, and
# hence the permit_mynetworks will let them through
gyanasoft.com REJECT Do not try to spoof the sender domain of email.
====================
To setup another SMTP server instance, that requires authentication,
that allows real "local" users to use "local" envelope sender addresses,
do this:
/etc/postfix/master.cf
====================
# Standard
smtp inet n - n - - smtpd
# SMTP over SSL
smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_helo_restrictions=permit
-o smtpd_sender_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_wrappermode=yes
# SMTP over TLS
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_helo_restrictions=permit
-o smtpd_sender_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_enforce_tls=yes
====================
and you'll probably need to setup TLS:
====================
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/keys/helium.gyanasoft.com.key
smtpd_tls_cert_file = /etc/ssl/keys/helium.gyanasoft.com.crt
smtpd_tls_CAfile = /etc/ssl/trusted_CAs/ca-gyanasoft.com.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_cache
smtpd_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtp_enforce_tls = no
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_cache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_enforce_peername = no
smtp_tls_CApath = /etc/ssl/trusted_CAs
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
====================
Hope this helps!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFrCrDhk3bo0lNTrURAmJyAJ4i4plnLg9DmVtFaRgmtjdkvoGLxgCfYcPW
sAmFZ5D98utL/HWIdTQkf5M=
=R+an
-----END PGP SIGNATURE-----
_____________________________________________
tmda-users mailing list (tmda-users@tmda.net)
http://tmda.net/lists/listinfo/tmda-users
