configuration-templates – Blame information for rev 22
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 22 | office | 1 | ########################################################################### |
| 2 | ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
||
| 3 | ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
||
| 4 | ## rights of fair usage, the disclaimer and warranty conditions. ## |
||
| 5 | ########################################################################### |
||
| 6 | # Restrictions template for Postfix >= 2.10 # |
||
| 7 | ########################################################################### |
||
| 8 | # The general strategy is to accept anything from authenticated clients # |
||
| 9 | # except cases where MAIL FROM is set to a client other than the given # |
||
| 10 | # authenticated client (in the latter case, to prevent E-Mail spoofing) # |
||
| 11 | # # |
||
| 12 | # The terminology "restrictions that apply AT" (instead of "apply TO") is # |
||
| 13 | # used due to some restrictions proceeding others during an SMTP session. # |
||
| 14 | # # |
||
| 15 | # Requirements: # |
||
| 16 | # - The SMTP server MUST be configured with SASL authentication # |
||
| 17 | # (regardless whether through Dovecot, Cyrus SASL, etc...) # |
||
| 18 | # # |
||
| 19 | ###### Session Example Illustrating the Application of Restrictions. ###### |
||
| 20 | # telnet 192.168.0.2 25 # |
||
| 21 | # Trying 192.168.0.2... # |
||
| 22 | # Connected to 192.168.0.2 (192.168.0.2). # |
||
| 23 | # Escape character is '^]'. # |
||
| 24 | # 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions # |
||
| 25 | # HELO mail.example.com # <-smtp_helo_restrictions # |
||
| 26 | # 250 mail.example.com # |
||
| 27 | # MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions # |
||
| 28 | # 250 2.1.0 Ok # |
||
| 29 | # RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions # |
||
| 30 | # 250 2.1.5 Ok # |
||
| 31 | # DATA # <-smtp_data_restrictions # |
||
| 32 | # 354 End data with <CR><LF>.<CR><LF> # |
||
| 33 | # To:<ned@example.com> # <-header_checks # |
||
| 34 | # From:<ned@example.com> # |
||
| 35 | # Subject:SMTP Test # |
||
| 36 | # This is a test message # <-body_checks # |
||
| 37 | # . # |
||
| 38 | # 250 2.0.0 Ok: queued as 301AE20034 # |
||
| 39 | # QUIT # |
||
| 40 | # 221 2.0.0 Bye # |
||
| 41 | # Connection closed by foreign host. # |
||
| 42 | ########### https://wiki.centos.org/HowTos/postfix_restrictions ########### |
||
| 43 | |||
| 44 | ########################################################################### |
||
| 45 | # Restrictions that apply when a client connects. # |
||
| 46 | ########################################################################### |
||
| 47 | smtpd_client_restrictions = permit_mynetworks, |
||
| 48 | # Any user that is authenticated may send E-Mail regardless the |
||
| 49 | # connection or any restrictions that follow. |
||
| 50 | permit_sasl_authenticated, |
||
| 51 | # Only accept connections with proper hostname to IP (reverse) DNS. |
||
| 52 | reject_unknown_client_hostname, |
||
| 53 | # Major RBLs matching clients. |
||
| 54 | reject_rbl_client sbl.spamhaus.org, |
||
| 55 | reject_rbl_client zen.spamhaus.org, |
||
| 56 | reject_rbl_client xbl.spamhaus.org, |
||
| 57 | reject_rbl_client pbl.spamhaus.org, |
||
| 58 | reject_rbl_client cbl.abuseat.org, |
||
| 59 | reject_rbl_client bl.spamcop.net, |
||
| 60 | permit |
||
| 61 | |||
| 62 | ########################################################################### |
||
| 63 | # Restrictions that apply at: HELO / EHLO # |
||
| 64 | ########################################################################### |
||
| 65 | # smtpd_helo_required makes sending HELo / EHLO mandatory for clients |
||
| 66 | smtpd_helo_required = yes |
||
| 67 | smtpd_helo_restrictions = permit_mynetworks, |
||
| 68 | # Any HELO / EHLO will be accepted from any authenticated client |
||
| 69 | # regardless of any rules that follow. |
||
| 70 | permit_sasl_authenticated, |
||
| 71 | # These checks have to be performed after permitting SASL |
||
| 72 | # authenticated clients since the strategy of this template is to |
||
| 73 | # always accept from authenticated clients. |
||
| 74 | reject_non_fqdn_helo_hostname, |
||
| 75 | reject_invalid_helo_hostname, |
||
| 76 | # This is disabled because a client may send an HELO / EHLO with the |
||
| 77 | # hostname of the computer where the E-Mail originates and although |
||
| 78 | # that hostname may be valid on the local LAN of the client, the |
||
| 79 | # hostname may be an invalid hostname on the WAN. |
||
| 80 | # reject_unknown_helo_hostname, |
||
| 81 | # Major RBLs matching HELO / EHLO. |
||
| 82 | reject_rhsbl_helo dbl.spamhaus.org, |
||
| 83 | permit |
||
| 84 | |||
| 85 | ########################################################################### |
||
| 86 | # Restrictions that apply at: MAIL FROM # |
||
| 87 | ########################################################################### |
||
| 88 | smtpd_sender_restrictions = permit_mynetworks, |
||
| 89 | # Any authenticated client may send E-Mail (with the next exception) |
||
| 90 | permit_sasl_authenticated, |
||
| 91 | # This restriction prevents the following scenario: |
||
| 92 | # I am joe@mail.tld, I authenticate as joe to the mail-server at |
||
| 93 | # mail.tld and set the MAIL FROM to sally@mail.tld and the server |
||
| 94 | # accepts it. |
||
| 95 | reject_authenticated_sender_login_mismatch, |
||
| 96 | reject_non_fqdn_sender, |
||
| 97 | reject_unknown_sender_domain, |
||
| 98 | # Major RBLs matching sender. |
||
| 99 | reject_rhsbl_sender dbl.spamhaus.org, |
||
| 100 | permit |
||
| 101 | |||
| 102 | ########################################################################### |
||
| 103 | # Restrictions that apply before: RCPT TO # |
||
| 104 | ########################################################################### |
||
| 105 | # Legacy restrictions used for older Postfix versions and an possibly be # |
||
| 106 | # omitted altogether since smtpd_recipient_restrictions will apply. # |
||
| 107 | ########################################################################### |
||
| 108 | smtpd_relay_restrictions = permit_mynetworks, |
||
| 109 | # Any authenticated user may use the server as a relay. |
||
| 110 | permit_sasl_authenticated, |
||
| 111 | reject_unauth_destination, |
||
| 112 | permit |
||
| 113 | |||
| 114 | ########################################################################### |
||
| 115 | # Restrictions that apply at: RCPT TO # |
||
| 116 | ########################################################################### |
||
| 117 | smtpd_recipient_restrictions = permit_mynetworks, |
||
| 118 | # An authenticated client may send E-Mail to any destination. |
||
| 119 | permit_sasl_authenticated, |
||
| 120 | reject_unauth_destination, |
||
| 121 | reject_unknown_recipient_domain, |
||
| 122 | reject_non_fqdn_recipient, |
||
| 123 | # In case it is already known (Postfix - verify) that the |
||
| 124 | # destination (recipient) of an E-Mail is unreachable, then do not |
||
| 125 | # accept the E-Mail in the first place. |
||
| 126 | reject_unverified_recipient, |
||
| 127 | permit |
||
| 128 | |||
| 129 | ########################################################################### |
||
| 130 | # Restrictions that apply at: DATA (content body) # |
||
| 131 | ########################################################################### |
||
| 132 | smtpd_data_restrictions = permit_mynetworks, |
||
| 133 | # An authenticated client may send any content body. |
||
| 134 | permit_sasl_authenticated, |
||
| 135 | sleep 3, |
||
| 136 | reject_unauth_pipelining, |
||
| 137 | permit |