Another sendmail relaying problem.
Travis Fraser
travis at snowpatch.net
Mon Jun 28 23:01:29 UTC 2004
On Mon, 2004-06-28 at 11:04, Cowles, Steve wrote:
> Travis Fraser wrote:
> > Steve,
> >
> > If I might ask, what do you configure in main.cf to achieve what you
> > described above?
> >
> > Travis Fraser
>
> 1) In main.cf I set the variable "mynetworks" to be:
>
> mynetworks=192.168.8.0/22, 127.0.0.1
>
> Note: The /22 is summarized to encompass my DMZ network, protected LAN and
> stub (wireless) networks.
>
> 2) Then in /etc/postfix/access, I add a REJECT for each of my registered
> domains:
>
> mydomain.com REJECT You are not from mydomain.com
> mydomain1.com REJECT You are not from mydomain1.com
> Etc...
>
> 3) Then I define a very specific order for smtpd_recipient_restrictions:
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> [trim] More rejects....
> check_sender_access hash:/etc/postfix/access
> [trim] More rejects and call to spamassassin.
> permit
>
> Note that permit_mynetworks is listed first, then authenticated users,
> followed by a bunch of other postfix tests, then the check_sender_access
> which references the /etc/mail/access file. The order in which these tests
> are listed is critical. In short, I'm trying to save CPU cycles by:
>
> 1) Rejecting prior to the data portion of the e-mail. No bounces
> 2) Reject prior to postfix submitting to its queue. No bounces
> 2) Rejecting inbound e-mail before calling Spamassassin. No bounces
>
> The header checks are even easier to implement, but BE CAREFUL. You might
> want to setup a test system prior to implementing any of these tests on a
> live server. In fact, I would recommend that you setup a test system before
> implementing the mail from test listed above. With that in mind...
>
> 1) In main.cf, I add:
> header_checks = regexp:/etc/postfix/header_checks
> body_checks = regexp:/etc/postfix/body_checks
>
> 2) In /etc/postfix/header_checks
>
> /^(From|Return-Path):.*[:<:](spamtrap at mydomain\.com)[:>:]/
> REJECT Forged sender address in $1: message header: $2
>
> The above regexp would reject the following header from address (not the
> mail from) like:
>
> From: Steve Cowles <spamtrap at mydoman.com>
> Return-Path: Steve Cowles <spamtrap at mydoman.com>
> or
> From: Byte Me <spamtrap at mydomain.com>
>
> Note: If your more comfortable using perl regexp syntax, then you can
> specify:
> header_checks = pcre:/etc/postfix/header_checks.pcre
>
> But I had to recompile postfix to support pcre syntax.
>
> Good luck! And BE CAREFUL. What I'm showing is NOT for the newbie e-mail
> admin to implement. One false move and you will start rejecting legitimate
> e-mail when that was not your original intent.
>
> Steve Cowles
>
Thank you for the smtpd_recipient_restrictions information. I have been
using Postfix on a test network first, as you suggest.
As far as implementing SpamAssassin with Postfix, I was looking at
Mailscanner or amavisd-new. Do you have a simpler suggestion for calling
SA from within the recipient_restrictions checks?
Thanks,
Travis Fraser
More information about the fedora-list
mailing list