[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering
Luca Berra
bluca at vodka.it
Fri Nov 19 08:35:54 CET 2010
On Thu, Nov 18, 2010 at 11:34:59PM +0100, root at mageia.org wrote:
>+<% if classes.include?('postfix::simple_relay') %>
> inet_interfaces = localhost
>+<% else %>
>+inet_interfaces = all
>+<% end %>
>+
>+<% if classes.include?('postfix::smtp_server') %>
you can safely add:
smtpd_etrn_restrictions = reject
you should add:
smtpd_helo_required = yes
if you do checks based on helo here
>+smtpd_recipient_restrictions =
>+# not done yet
>+# permit_sasl_authenticated
you should add
reject_sender_login_mismatch
and configure something like:
smtpd_sender_login_maps =
proxy:ldap:/etc/postfix/smtpd_sender_login_maps.cf
server_host = ldaps://
version = 3
search_base = dc=mageia,dc=org
query_filter = (|(mail=%s)(mailLocalAddress=%s))
# use this with groupOfNames to allow people to send on behalf of an
# alias (eg postmaster, abuse, etc)
#special_result_attribute = owner
result_attribute = uid
>+ permit_mynetworks
>+ reject_unauth_destination
>+ reject_unauth_pipelining
this one should not be here ^^^^
put it into smtpd_data_restrictions, eg:
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
>+ reject_non_fqdn_recipient
this should go before every permit to be useful, it is not useful at all
after reject_unauth_destination.
>+ reject_non_fqdn_sender
i'd move it above permits, if some script fails, fix it.
>+ reject_non_fqdn_hostname
Note1: this restriction has been renamed in
reject_non_fqdn_helo_hostname
Note2: i reckon it as a bad idea, there are too many people unable to
properly configure their mta to send an fqdn helo
>+ reject_invalid_hostname
Note: this restriction has been renamed in
reject_non_fqdn_helo_hostname
>+ reject_unknown_recipient_domain
this one has no use after reject_unauth_destination
>+ reject_unknown_sender_domain
>+ reject_unknown_client
Note1: this restriction has been renamed in
reject_unknown_client_hostname
Note2: this is _very_ strong, it will do both reverse and forward ns
lookups and reject mail if they don't match, i have seen valid
setup that fail under this condition, is better to graylist these
you are missing
reject_unlisted_recipient
which should be setup together with
local_recipient_maps
and
relay_recipient_maps
i also have a number of possible additions, should i send those in?
L.
--
Luca Berra -- bluca at vodka.it
More information about the Mageia-sysadm
mailing list