| /postfix/2.10/postfix_restrictions.cf |
|---|
| @@ -0,0 +1,137 @@ |
|---|
| ########################################################################### |
| ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
| ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
| ## rights of fair usage, the disclaimer and warranty conditions. ## |
| ########################################################################### |
| # Restrictions template for Postfix >= 2.10 # |
| ########################################################################### |
| # The general strategy is to accept anything from authenticated clients # |
| # except cases where MAIL FROM is set to a client other than the given # |
| # authenticated client (in the latter case, to prevent E-Mail spoofing) # |
| # # |
| # The terminology "restrictions that apply AT" (instead of "apply TO") is # |
| # used due to some restrictions proceeding others during an SMTP session. # |
| # # |
| # Requirements: # |
| # - The SMTP server MUST be configured with SASL authentication # |
| # (regardless whether through Dovecot, Cyrus SASL, etc...) # |
| # # |
| ###### Session Example Illustrating the Application of Restrictions. ###### |
| # telnet 192.168.0.2 25 # |
| # Trying 192.168.0.2... # |
| # Connected to 192.168.0.2 (192.168.0.2). # |
| # Escape character is '^]'. # |
| # 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions # |
| # HELO mail.example.com # <-smtp_helo_restrictions # |
| # 250 mail.example.com # |
| # MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions # |
| # 250 2.1.0 Ok # |
| # RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions # |
| # 250 2.1.5 Ok # |
| # DATA # <-smtp_data_restrictions # |
| # 354 End data with <CR><LF>.<CR><LF> # |
| # To:<ned@example.com> # <-header_checks # |
| # From:<ned@example.com> # |
| # Subject:SMTP Test # |
| # This is a test message # <-body_checks # |
| # . # |
| # 250 2.0.0 Ok: queued as 301AE20034 # |
| # QUIT # |
| # 221 2.0.0 Bye # |
| # Connection closed by foreign host. # |
| ########### https://wiki.centos.org/HowTos/postfix_restrictions ########### |
| |
| ########################################################################### |
| # Restrictions that apply when a client connects. # |
| ########################################################################### |
| smtpd_client_restrictions = permit_mynetworks, |
| # Any user that is authenticated may send E-Mail regardless the |
| # connection or any restrictions that follow. |
| permit_sasl_authenticated, |
| # Only accept connections with proper hostname to IP (reverse) DNS. |
| reject_unknown_client_hostname, |
| # Major RBLs matching clients. |
| reject_rbl_client sbl.spamhaus.org, |
| reject_rbl_client zen.spamhaus.org, |
| reject_rbl_client xbl.spamhaus.org, |
| reject_rbl_client pbl.spamhaus.org, |
| reject_rbl_client cbl.abuseat.org, |
| reject_rbl_client bl.spamcop.net, |
| permit |
| |
| ########################################################################### |
| # Restrictions that apply at: HELO / EHLO # |
| ########################################################################### |
| # smtpd_helo_required makes sending HELo / EHLO mandatory for clients |
| smtpd_helo_required = yes |
| smtpd_helo_restrictions = permit_mynetworks, |
| # Any HELO / EHLO will be accepted from any authenticated client |
| # regardless of any rules that follow. |
| permit_sasl_authenticated, |
| # These checks have to be performed after permitting SASL |
| # authenticated clients since the strategy of this template is to |
| # always accept from authenticated clients. |
| reject_non_fqdn_helo_hostname, |
| reject_invalid_helo_hostname, |
| # This is disabled because a client may send an HELO / EHLO with the |
| # hostname of the computer where the E-Mail originates and although |
| # that hostname may be valid on the local LAN of the client, the |
| # hostname may be an invalid hostname on the WAN. |
| # reject_unknown_helo_hostname, |
| # Major RBLs matching HELO / EHLO. |
| reject_rhsbl_helo dbl.spamhaus.org, |
| permit |
| |
| ########################################################################### |
| # Restrictions that apply at: MAIL FROM # |
| ########################################################################### |
| smtpd_sender_restrictions = permit_mynetworks, |
| # Any authenticated client may send E-Mail (with the next exception) |
| permit_sasl_authenticated, |
| # This restriction prevents the following scenario: |
| # I am joe@mail.tld, I authenticate as joe to the mail-server at |
| # mail.tld and set the MAIL FROM to sally@mail.tld and the server |
| # accepts it. |
| reject_authenticated_sender_login_mismatch, |
| reject_non_fqdn_sender, |
| reject_unknown_sender_domain, |
| # Major RBLs matching sender. |
| reject_rhsbl_sender dbl.spamhaus.org, |
| permit |
| |
| ########################################################################### |
| # Restrictions that apply before: RCPT TO # |
| ########################################################################### |
| # Legacy restrictions used for older Postfix versions and an possibly be # |
| # omitted altogether since smtpd_recipient_restrictions will apply. # |
| ########################################################################### |
| smtpd_relay_restrictions = permit_mynetworks, |
| # Any authenticated user may use the server as a relay. |
| permit_sasl_authenticated, |
| reject_unauth_destination, |
| permit |
| |
| ########################################################################### |
| # Restrictions that apply at: RCPT TO # |
| ########################################################################### |
| smtpd_recipient_restrictions = permit_mynetworks, |
| # An authenticated client may send E-Mail to any destination. |
| permit_sasl_authenticated, |
| reject_unauth_destination, |
| reject_unknown_recipient_domain, |
| reject_non_fqdn_recipient, |
| # In case it is already known (Postfix - verify) that the |
| # destination (recipient) of an E-Mail is unreachable, then do not |
| # accept the E-Mail in the first place. |
| reject_unverified_recipient, |
| permit |
| |
| ########################################################################### |
| # Restrictions that apply at: DATA (content body) # |
| ########################################################################### |
| smtpd_data_restrictions = permit_mynetworks, |
| # An authenticated client may send any content body. |
| permit_sasl_authenticated, |
| sleep 3, |
| reject_unauth_pipelining, |
| permit |
