configuration-templates – Blame information for rev 22
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
22 | office | 1 | ########################################################################### |
2 | ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
||
3 | ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
||
4 | ## rights of fair usage, the disclaimer and warranty conditions. ## |
||
5 | ########################################################################### |
||
6 | # Restrictions template for Postfix >= 2.10 # |
||
7 | ########################################################################### |
||
8 | # The general strategy is to accept anything from authenticated clients # |
||
9 | # except cases where MAIL FROM is set to a client other than the given # |
||
10 | # authenticated client (in the latter case, to prevent E-Mail spoofing) # |
||
11 | # # |
||
12 | # The terminology "restrictions that apply AT" (instead of "apply TO") is # |
||
13 | # used due to some restrictions proceeding others during an SMTP session. # |
||
14 | # # |
||
15 | # Requirements: # |
||
16 | # - The SMTP server MUST be configured with SASL authentication # |
||
17 | # (regardless whether through Dovecot, Cyrus SASL, etc...) # |
||
18 | # # |
||
19 | ###### Session Example Illustrating the Application of Restrictions. ###### |
||
20 | # telnet 192.168.0.2 25 # |
||
21 | # Trying 192.168.0.2... # |
||
22 | # Connected to 192.168.0.2 (192.168.0.2). # |
||
23 | # Escape character is '^]'. # |
||
24 | # 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions # |
||
25 | # HELO mail.example.com # <-smtp_helo_restrictions # |
||
26 | # 250 mail.example.com # |
||
27 | # MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions # |
||
28 | # 250 2.1.0 Ok # |
||
29 | # RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions # |
||
30 | # 250 2.1.5 Ok # |
||
31 | # DATA # <-smtp_data_restrictions # |
||
32 | # 354 End data with <CR><LF>.<CR><LF> # |
||
33 | # To:<ned@example.com> # <-header_checks # |
||
34 | # From:<ned@example.com> # |
||
35 | # Subject:SMTP Test # |
||
36 | # This is a test message # <-body_checks # |
||
37 | # . # |
||
38 | # 250 2.0.0 Ok: queued as 301AE20034 # |
||
39 | # QUIT # |
||
40 | # 221 2.0.0 Bye # |
||
41 | # Connection closed by foreign host. # |
||
42 | ########### https://wiki.centos.org/HowTos/postfix_restrictions ########### |
||
43 | |||
44 | ########################################################################### |
||
45 | # Restrictions that apply when a client connects. # |
||
46 | ########################################################################### |
||
47 | smtpd_client_restrictions = permit_mynetworks, |
||
48 | # Any user that is authenticated may send E-Mail regardless the |
||
49 | # connection or any restrictions that follow. |
||
50 | permit_sasl_authenticated, |
||
51 | # Only accept connections with proper hostname to IP (reverse) DNS. |
||
52 | reject_unknown_client_hostname, |
||
53 | # Major RBLs matching clients. |
||
54 | reject_rbl_client sbl.spamhaus.org, |
||
55 | reject_rbl_client zen.spamhaus.org, |
||
56 | reject_rbl_client xbl.spamhaus.org, |
||
57 | reject_rbl_client pbl.spamhaus.org, |
||
58 | reject_rbl_client cbl.abuseat.org, |
||
59 | reject_rbl_client bl.spamcop.net, |
||
60 | permit |
||
61 | |||
62 | ########################################################################### |
||
63 | # Restrictions that apply at: HELO / EHLO # |
||
64 | ########################################################################### |
||
65 | # smtpd_helo_required makes sending HELo / EHLO mandatory for clients |
||
66 | smtpd_helo_required = yes |
||
67 | smtpd_helo_restrictions = permit_mynetworks, |
||
68 | # Any HELO / EHLO will be accepted from any authenticated client |
||
69 | # regardless of any rules that follow. |
||
70 | permit_sasl_authenticated, |
||
71 | # These checks have to be performed after permitting SASL |
||
72 | # authenticated clients since the strategy of this template is to |
||
73 | # always accept from authenticated clients. |
||
74 | reject_non_fqdn_helo_hostname, |
||
75 | reject_invalid_helo_hostname, |
||
76 | # This is disabled because a client may send an HELO / EHLO with the |
||
77 | # hostname of the computer where the E-Mail originates and although |
||
78 | # that hostname may be valid on the local LAN of the client, the |
||
79 | # hostname may be an invalid hostname on the WAN. |
||
80 | # reject_unknown_helo_hostname, |
||
81 | # Major RBLs matching HELO / EHLO. |
||
82 | reject_rhsbl_helo dbl.spamhaus.org, |
||
83 | permit |
||
84 | |||
85 | ########################################################################### |
||
86 | # Restrictions that apply at: MAIL FROM # |
||
87 | ########################################################################### |
||
88 | smtpd_sender_restrictions = permit_mynetworks, |
||
89 | # Any authenticated client may send E-Mail (with the next exception) |
||
90 | permit_sasl_authenticated, |
||
91 | # This restriction prevents the following scenario: |
||
92 | # I am joe@mail.tld, I authenticate as joe to the mail-server at |
||
93 | # mail.tld and set the MAIL FROM to sally@mail.tld and the server |
||
94 | # accepts it. |
||
95 | reject_authenticated_sender_login_mismatch, |
||
96 | reject_non_fqdn_sender, |
||
97 | reject_unknown_sender_domain, |
||
98 | # Major RBLs matching sender. |
||
99 | reject_rhsbl_sender dbl.spamhaus.org, |
||
100 | permit |
||
101 | |||
102 | ########################################################################### |
||
103 | # Restrictions that apply before: RCPT TO # |
||
104 | ########################################################################### |
||
105 | # Legacy restrictions used for older Postfix versions and an possibly be # |
||
106 | # omitted altogether since smtpd_recipient_restrictions will apply. # |
||
107 | ########################################################################### |
||
108 | smtpd_relay_restrictions = permit_mynetworks, |
||
109 | # Any authenticated user may use the server as a relay. |
||
110 | permit_sasl_authenticated, |
||
111 | reject_unauth_destination, |
||
112 | permit |
||
113 | |||
114 | ########################################################################### |
||
115 | # Restrictions that apply at: RCPT TO # |
||
116 | ########################################################################### |
||
117 | smtpd_recipient_restrictions = permit_mynetworks, |
||
118 | # An authenticated client may send E-Mail to any destination. |
||
119 | permit_sasl_authenticated, |
||
120 | reject_unauth_destination, |
||
121 | reject_unknown_recipient_domain, |
||
122 | reject_non_fqdn_recipient, |
||
123 | # In case it is already known (Postfix - verify) that the |
||
124 | # destination (recipient) of an E-Mail is unreachable, then do not |
||
125 | # accept the E-Mail in the first place. |
||
126 | reject_unverified_recipient, |
||
127 | permit |
||
128 | |||
129 | ########################################################################### |
||
130 | # Restrictions that apply at: DATA (content body) # |
||
131 | ########################################################################### |
||
132 | smtpd_data_restrictions = permit_mynetworks, |
||
133 | # An authenticated client may send any content body. |
||
134 | permit_sasl_authenticated, |
||
135 | sleep 3, |
||
136 | reject_unauth_pipelining, |
||
137 | permit |