helo_access
in [Postfix]
|
From: "Manu" on 16 Feb 2010 16:43 Hello I would like to accept mail from only one domain "smtp.domaineok.com" This is my main.cf smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/helo_access, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname reject_unlisted_recipient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net and my :/etc/postfix/helo_access is smtp.domaineok.com OK * REJECT But it doesn't work, every domaine is accepted. Any suggestion ? Emmanuel RIZZI
From: Ralf Hildebrandt on 16 Feb 2010 16:46 * Manu <traqueur(a)club-internet.fr>: > Hello > > I would like to accept mail from only one domain "smtp.domaineok.com" > > This is my main.cf > > smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, > reject_invalid_hostname, > reject_unknown_hostname, > reject_non_fqdn_hostname, > > smtpd_recipient_restrictions = > permit_mynetworks, > check_client_access hash:/etc/postfix/helo_access, > permit_sasl_authenticated, > reject_unauth_destination, > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname > reject_unlisted_recipient, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client bl.spamcop.net > > > and my :/etc/postfix/helo_access is > > smtp.domaineok.com OK > * REJECT The key "*" is not defined (man 5 access) Are you sure using the HELO is a smart idea? Better: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/smtp.domaineok.com reject /etc/postfix/smtp.domaineok.com contains: smtp.domaineok.com OK -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Victor Duchovni on 16 Feb 2010 16:59 On Tue, Feb 16, 2010 at 10:46:31PM +0100, Ralf Hildebrandt wrote: > > smtpd_recipient_restrictions = > > permit_mynetworks, > > check_client_access hash:/etc/postfix/helo_access, > > permit_sasl_authenticated, > > reject_unauth_destination, > > reject_non_fqdn_recipient, > > reject_unknown_recipient_domain, > > reject_non_fqdn_helo_hostname, > > reject_invalid_helo_hostname > > reject_unlisted_recipient, > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net > > > > > > and my :/etc/postfix/helo_access is > > > > smtp.domaineok.com OK > > * REJECT > > The key "*" is not defined (man 5 access) > Are you sure using the HELO is a smart idea? The OP is not using a HELO check, it is a "check_client_access" check. > Better: > > smtpd_recipient_restrictions = > check_client_access hash:/etc/postfix/smtp.domaineok.com > reject > > /etc/postfix/smtp.domaineok.com contains: > smtp.domaineok.com OK This is unreliable in the face of temporary DNS lookup errors. Access tables that "permit" via client DNS names are discouraged, as mail is lost when DNS temp-fails. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Ralf Hildebrandt on 16 Feb 2010 17:11 * Victor Duchovni <Victor.Duchovni(a)morganstanley.com>: > > The key "*" is not defined (man 5 access) > > Are you sure using the HELO is a smart idea? > > The OP is not using a HELO check, it is a "check_client_access" check. He was using it twice, once for helo, once for the client: smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Victor Duchovni on 16 Feb 2010 17:14 On Tue, Feb 16, 2010 at 11:11:54PM +0100, Ralf Hildebrandt wrote: > * Victor Duchovni <Victor.Duchovni(a)morganstanley.com>: > > > > The key "*" is not defined (man 5 access) > > > Are you sure using the HELO is a smart idea? > > > > The OP is not using a HELO check, it is a "check_client_access" check. > > He was using it twice, once for helo, once for the client: > > smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, "OK" results in "helo_checks" are rather dubious, as the HELO name is completely unverified. A more sensible choice is "DUNNO" for a single host when the containing domain has a "REJECT" rule. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
|
Next
|
Last
Pages: 1 2 Prev: 554 5.7.1 relay access denied Next: Rejecting Unknown Local Recipients issue |