Another sendmail relaying problem.

Cowles, Steve steve at stevecowles.com
Mon Jun 28 15:04:52 UTC 2004 

Travis Fraser wrote:
> Steve,
> 
> If I might ask, what do you configure in main.cf to achieve what you
> described above?
> 
> Travis Fraser

1) In main.cf I set the variable "mynetworks" to be:

mynetworks=192.168.8.0/22, 127.0.0.1

Note: The /22 is summarized to encompass my DMZ network, protected LAN and
stub (wireless) networks.

2) Then in /etc/postfix/access, I add a REJECT for each of my registered
domains:

mydomain.com	REJECT   You are not from mydomain.com
mydomain1.com	REJECT   You are not from mydomain1.com
Etc...

3) Then I define a very specific order for smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
[trim] More rejects....
  check_sender_access hash:/etc/postfix/access
[trim] More rejects and call to spamassassin.
  permit

Note that permit_mynetworks is listed first, then authenticated users,
followed by a bunch of other postfix tests, then the check_sender_access
which references the /etc/mail/access file. The order in which these tests
are listed is critical. In short, I'm trying to save CPU cycles by:

1) Rejecting prior to the data portion of the e-mail. No bounces
2) Reject prior to postfix submitting to its queue. No bounces
2) Rejecting inbound e-mail before calling Spamassassin. No bounces

The header checks are even easier to implement, but BE CAREFUL. You might
want to setup a test system prior to implementing any of these tests on a
live server. In fact, I would recommend that you setup a test system before
implementing the mail from test listed above. With that in mind...

1) In main.cf, I add:
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks

2) In /etc/postfix/header_checks

/^(From|Return-Path):.*[:<:](spamtrap at mydomain\.com)[:>:]/
       REJECT Forged sender address in $1: message header: $2

The above regexp would reject the following header from address (not the
mail from) like:

From: Steve Cowles <spamtrap at mydoman.com>
Return-Path: Steve Cowles <spamtrap at mydoman.com>
   or
From: Byte Me <spamtrap at mydomain.com>

Note: If your more comfortable using perl regexp syntax, then you can
specify:
header_checks = pcre:/etc/postfix/header_checks.pcre

But I had to recompile postfix to support pcre syntax.

Good luck! And BE CAREFUL. What I'm showing is NOT for the newbie e-mail
admin to implement. One false move and you will start rejecting legitimate
e-mail when that was not your original intent.

Steve Cowles

More information about the fedora-list mailing list