Another sendmail relaying problem.

Travis Fraser travis at snowpatch.net
Mon Jun 28 23:01:29 UTC 2004 

On Mon, 2004-06-28 at 11:04, Cowles, Steve wrote:
> Travis Fraser wrote:
> > Steve,
> > 
> > If I might ask, what do you configure in main.cf to achieve what you
> > described above?
> > 
> > Travis Fraser
> 
> 1) In main.cf I set the variable "mynetworks" to be:
> 
> mynetworks=192.168.8.0/22, 127.0.0.1
> 
> Note: The /22 is summarized to encompass my DMZ network, protected LAN and
> stub (wireless) networks.
> 
> 2) Then in /etc/postfix/access, I add a REJECT for each of my registered
> domains:
> 
> mydomain.com	REJECT   You are not from mydomain.com
> mydomain1.com	REJECT   You are not from mydomain1.com
> Etc...
> 
> 3) Then I define a very specific order for smtpd_recipient_restrictions:
> 
> smtpd_recipient_restrictions =
>   permit_mynetworks
>   permit_sasl_authenticated
>   reject_unauth_destination
> [trim] More rejects....
>   check_sender_access hash:/etc/postfix/access
> [trim] More rejects and call to spamassassin.
>   permit
> 
> Note that permit_mynetworks is listed first, then authenticated users,
> followed by a bunch of other postfix tests, then the check_sender_access
> which references the /etc/mail/access file. The order in which these tests
> are listed is critical. In short, I'm trying to save CPU cycles by:
> 
> 1) Rejecting prior to the data portion of the e-mail. No bounces
> 2) Reject prior to postfix submitting to its queue. No bounces
> 2) Rejecting inbound e-mail before calling Spamassassin. No bounces
> 
> The header checks are even easier to implement, but BE CAREFUL. You might
> want to setup a test system prior to implementing any of these tests on a
> live server. In fact, I would recommend that you setup a test system before
> implementing the mail from test listed above. With that in mind...
> 
> 1) In main.cf, I add:
> header_checks = regexp:/etc/postfix/header_checks
> body_checks = regexp:/etc/postfix/body_checks
> 
> 2) In /etc/postfix/header_checks
> 
> /^(From|Return-Path):.*[:<:](spamtrap at mydomain\.com)[:>:]/
>        REJECT Forged sender address in $1: message header: $2
> 
> The above regexp would reject the following header from address (not the
> mail from) like:
> 
> From: Steve Cowles <spamtrap at mydoman.com>
> Return-Path: Steve Cowles <spamtrap at mydoman.com>
>    or
> From: Byte Me <spamtrap at mydomain.com>
> 
> Note: If your more comfortable using perl regexp syntax, then you can
> specify:
> header_checks = pcre:/etc/postfix/header_checks.pcre
> 
> But I had to recompile postfix to support pcre syntax.
> 
> Good luck! And BE CAREFUL. What I'm showing is NOT for the newbie e-mail
> admin to implement. One false move and you will start rejecting legitimate
> e-mail when that was not your original intent.
> 
> Steve Cowles
> 
Thank you for the smtpd_recipient_restrictions information. I have been
using Postfix on a test network first, as you suggest.

As far as implementing SpamAssassin with Postfix, I was looking at
Mailscanner or amavisd-new. Do you have a simpler suggestion for calling
SA from within the recipient_restrictions checks?

Thanks,
Travis Fraser

More information about the fedora-list mailing list