Postfix relay problem
Stuart Sears
stuart at sjsears.com
Sun Apr 29 18:58:55 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luc MAIGNAN wrote:
> Thanks for your response :
You're welcome.
Luc, do me a favour and don't top-post to the list - it makes context
much harder to follow. For me, at least (before we start that particular
troll-fest again)
>
> I've put in main.cf :
>
> smtpd_helo_required = yes
which will only reject a few weird clients.
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
> reject_unauth_destination
man 5 postconf will tell you that smtpd_recipient_restrictions
stops at the first matching restriction and that neither
reject_unknown_recipient_domain or reject_unauth_destination match any
mail with sender-specified routing. If you have no blanket reject, they
will probably be permitted to relay.
AIUI your restrictions are not matching the email that you wish to
stop... this is probably due to 'sender-specified routing' as mentioned
above. This may be why it is getting through.
It is possible thay are using the 'percent hack' to achieve this:
try setting
allow_percent_hack = no
in main.cf to disallow this.
(it's an old relaying trick. Postfix permits it by default)
so, have you tried finishing with a blanket reject rule?
smtpd_recipient_restrictions = permit_auth_destination, reject
Will allow users/hosts to send to your domains, but should reject
everything else (including the 'unknown destination' stuff)
The problem with this is allowing certain hosts to relay.
How is this mailserver intended to work? is it simply a final
destination for email for your virtual domains? Or do you also have to
permit relaying from some users/hosts?
> Result of postconf -n is :
<snipped for my random commentary>
> manpage_directory = /usr/local/man
seriously? is this running on Fedora?
> mynetworks = 192.168.26.0/24, 192.168.62.0/24, 127.0.0.0/8
Incidentally IMHO there is no real reason to set mynetworks to anything
if you aren't using it in restrictions... (/me waits to be shot down on
that one.) My internet-facing server just has mynetworks_style=host and
mynetworks is not set at all. Works fine...
or you can just set it to the localhost address,
> mynetworks_style = host
/me likes using this
> relay_domains = mydomain1.com mydomain2.com mydomain3.com
so this is the parameter used by reject_unauth_destination.
## original example for context:
>>>> 24BDEE7918: to=<donna at go4extreme.com>,
>>>> relay=smtp1.msp.securence.com[216.17.3.48]:25, delay=3.3,
>>>> delays=0.02/0.01/1.2/2.1, dsn=2.0.0, status=sent (250 OK, queued as
>>>> <20070429143657.24BDEE7918@
>>>>
>>>> How can I deny these mails, and deny use of another relay ?
- --
Stuart Sears RHCA RHCSS PDF ODT DUI
"The PM's claims on this subject are not exactly lies, so much as
fact-free."
http://www.no2id.net/news/pressRelease/release.php?name=Blair_Fact-Free
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFGNOrvamPtx1brPQ4RAj1iAJ9HddeNcaS2j2Lt8qJSq0MvpV7chwCfQBnd
R1Bmwb5D9jU23LeK7GjKvls=
=TR5t
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list