Prev: Disabling checking for "my own hostname" in smtp connections to transports
Next: Compare hash versus cdb
From: vr on 21 Jun 2010 11:18
I know I've got some options set wrong which is why I'm here, but my
postconf -n is currently this:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks_pcre
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 0
mydestination = /etc/postfix/mydestination.cf
myhostname = myHost.myDomain.tld
mynetworks = /etc/postfix/mynetworks.cf
myorigin = /etc/postfix/myorigin.cf
readme_directory = no
recipient_delimiter = +
relay_domains = /etc/postfix/myrelay_domains.cf
relay_recipient_maps = hash:/etc/postfix/exchange_recipients
relayhost =
show_user_unknown_table_name = no
smtpd_banner = Ready
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
check_client_access hash:/etc/postfix/ok_by_domain_hash
check_client_access hash:/etc/postfix/ok_by_email_hash
check_client_access hash:/etc/postfix/access_hash
check_client_access hash:/etc/postfix/reject_by_ip_hash
check_helo_access hash:/etc/postfix/ok_by_domain_hash
check_helo_access hash:/etc/postfix/access_hash
check_client_access regexp:/etc/postfix/access_regexp
check_recipient_access hash:/etc/postfix/recipient_reject_hash
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_rbl_client dnsbl-1.uceprotect.net
reject_rbl_client dnsbl-2.uceprotect.net
smtpd_sender_restrictions =
permit_mynetworks
check_sender_access hash:/etc/postfix/ok_by_domain_hash
check_sender_access hash:/etc/postfix/ok_by_email_hash
check_sender_access hash:/etc/postfix/access_hash
reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550

When holding most/all restrictions until smtpd_recipient_restrictions,
is there a way to OK a MAIL FROM: sender without becoming an open relay
for those OK'd entries?

I would also like to OK a MAIL FROM: sender even if their connecting
client IP is on dnsbl-*.uceprotect.net or doesn't pass a check. Is this
easily do-able without being too dangerous?

From: Noel Jones on 21 Jun 2010 11:33
On 6/21/2010 10:18 AM, vr wrote:
> I know I've got some options set wrong which is why I'm here, but my
> postconf -n is currently this:

.... not reviewed

> When holding most/all restrictions until smtpd_recipient_restrictions,
> is there a way to OK a MAIL FROM: sender without becoming an open relay
> for those OK'd entries?

Yes. You can safely put anything after
reject_unauth_destination without fear of being an open relay.
See the note at the end of the "dangerous" section
http://www.postfix.org/SMTPD_ACCESS_README.html#danger

But do pay attention to what you're doing.

>
> I would also like to OK a MAIL FROM: sender even if their connecting
> client IP is on dnsbl-*.uceprotect.net or doesn't pass a check. Is this
> easily do-able without being too dangerous?

Not recommended; better to OK the client's IP if possible.
However, you can use a sender-based whitelist just as easily.
Just make sure the whitelist is after
reject_unauth_destination and before any RBL checks. A
general outline:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
... restrictions for all connections
... local whitelists
... RBLs and other restrictions




-- Noel Jones

 | 
Pages: 1
Prev: Disabling checking for "my own hostname" in smtp connections to transports
Next: Compare hash versus cdb