[Mageia-sysadm] [294] - start to merge simple relay, and add some basic antispam filtering

Luca Berra bluca at vodka.it
Fri Nov 19 08:35:54 CET 2010 

On Thu, Nov 18, 2010 at 11:34:59PM +0100, root at mageia.org wrote:
>+<% if classes.include?('postfix::simple_relay') %>
> inet_interfaces = localhost
>+<% else %>
>+inet_interfaces = all
>+<% end %>
>+
>+<% if classes.include?('postfix::smtp_server') %>
you can safely add:
smtpd_etrn_restrictions = reject
you should add:
smtpd_helo_required = yes
if you do checks based on helo here
>+smtpd_recipient_restrictions =
>+#    not done yet
>+#    permit_sasl_authenticated
you should add
reject_sender_login_mismatch
and configure something like:
smtpd_sender_login_maps =
proxy:ldap:/etc/postfix/smtpd_sender_login_maps.cf
server_host = ldaps://
version = 3
search_base = dc=mageia,dc=org
query_filter = (|(mail=%s)(mailLocalAddress=%s))
# use this with groupOfNames to allow people to send on behalf of an
# alias (eg postmaster, abuse, etc)
#special_result_attribute = owner
result_attribute = uid

>+    permit_mynetworks
>+    reject_unauth_destination
>+    reject_unauth_pipelining
this one should not be here ^^^^
put it into smtpd_data_restrictions, eg:
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
>+    reject_non_fqdn_recipient
this should go before every permit to be useful, it is not useful at all
after reject_unauth_destination.
>+    reject_non_fqdn_sender
i'd move it above permits, if some script fails, fix it.
>+    reject_non_fqdn_hostname
Note1: this restriction has been renamed in
reject_non_fqdn_helo_hostname
Note2: i reckon it as a bad idea, there are too many people unable to
properly configure their mta to send an fqdn helo
>+    reject_invalid_hostname
Note: this restriction has been renamed in
reject_non_fqdn_helo_hostname
>+    reject_unknown_recipient_domain
this one has no use after reject_unauth_destination
>+    reject_unknown_sender_domain
>+    reject_unknown_client
Note1: this restriction has been renamed in
reject_unknown_client_hostname
Note2: this is _very_ strong, it will do both reverse and forward ns
lookups and reject mail if they don't match, i have seen valid
setup that fail under this condition, is better to graylist these

you are missing
reject_unlisted_recipient
which should be setup together with
local_recipient_maps
and
relay_recipient_maps

i also have a number of possible additions, should i send those in?

L.

-- 
Luca Berra -- bluca at vodka.it

More information about the Mageia-sysadm mailing list