Another sendmail relaying problem.
Cowles, Steve
steve at stevecowles.com
Mon Jun 28 15:04:52 UTC 2004
Travis Fraser wrote:
> Steve,
>
> If I might ask, what do you configure in main.cf to achieve what you
> described above?
>
> Travis Fraser
1) In main.cf I set the variable "mynetworks" to be:
mynetworks=192.168.8.0/22, 127.0.0.1
Note: The /22 is summarized to encompass my DMZ network, protected LAN and
stub (wireless) networks.
2) Then in /etc/postfix/access, I add a REJECT for each of my registered
domains:
mydomain.com REJECT You are not from mydomain.com
mydomain1.com REJECT You are not from mydomain1.com
Etc...
3) Then I define a very specific order for smtpd_recipient_restrictions:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
[trim] More rejects....
check_sender_access hash:/etc/postfix/access
[trim] More rejects and call to spamassassin.
permit
Note that permit_mynetworks is listed first, then authenticated users,
followed by a bunch of other postfix tests, then the check_sender_access
which references the /etc/mail/access file. The order in which these tests
are listed is critical. In short, I'm trying to save CPU cycles by:
1) Rejecting prior to the data portion of the e-mail. No bounces
2) Reject prior to postfix submitting to its queue. No bounces
2) Rejecting inbound e-mail before calling Spamassassin. No bounces
The header checks are even easier to implement, but BE CAREFUL. You might
want to setup a test system prior to implementing any of these tests on a
live server. In fact, I would recommend that you setup a test system before
implementing the mail from test listed above. With that in mind...
1) In main.cf, I add:
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
2) In /etc/postfix/header_checks
/^(From|Return-Path):.*[:<:](spamtrap at mydomain\.com)[:>:]/
REJECT Forged sender address in $1: message header: $2
The above regexp would reject the following header from address (not the
mail from) like:
From: Steve Cowles <spamtrap at mydoman.com>
Return-Path: Steve Cowles <spamtrap at mydoman.com>
or
From: Byte Me <spamtrap at mydomain.com>
Note: If your more comfortable using perl regexp syntax, then you can
specify:
header_checks = pcre:/etc/postfix/header_checks.pcre
But I had to recompile postfix to support pcre syntax.
Good luck! And BE CAREFUL. What I'm showing is NOT for the newbie e-mail
admin to implement. One false move and you will start rejecting legitimate
e-mail when that was not your original intent.
Steve Cowles
More information about the fedora-list
mailing list