/postfix/2.10/postfix_restrictions.cf |
@@ -0,0 +1,137 @@ |
########################################################################### |
## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## |
## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## |
## rights of fair usage, the disclaimer and warranty conditions. ## |
########################################################################### |
# Restrictions template for Postfix >= 2.10 # |
########################################################################### |
# The general strategy is to accept anything from authenticated clients # |
# except cases where MAIL FROM is set to a client other than the given # |
# authenticated client (in the latter case, to prevent E-Mail spoofing) # |
# # |
# The terminology "restrictions that apply AT" (instead of "apply TO") is # |
# used due to some restrictions proceeding others during an SMTP session. # |
# # |
# Requirements: # |
# - The SMTP server MUST be configured with SASL authentication # |
# (regardless whether through Dovecot, Cyrus SASL, etc...) # |
# # |
###### Session Example Illustrating the Application of Restrictions. ###### |
# telnet 192.168.0.2 25 # |
# Trying 192.168.0.2... # |
# Connected to 192.168.0.2 (192.168.0.2). # |
# Escape character is '^]'. # |
# 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions # |
# HELO mail.example.com # <-smtp_helo_restrictions # |
# 250 mail.example.com # |
# MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions # |
# 250 2.1.0 Ok # |
# RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions # |
# 250 2.1.5 Ok # |
# DATA # <-smtp_data_restrictions # |
# 354 End data with <CR><LF>.<CR><LF> # |
# To:<ned@example.com> # <-header_checks # |
# From:<ned@example.com> # |
# Subject:SMTP Test # |
# This is a test message # <-body_checks # |
# . # |
# 250 2.0.0 Ok: queued as 301AE20034 # |
# QUIT # |
# 221 2.0.0 Bye # |
# Connection closed by foreign host. # |
########### https://wiki.centos.org/HowTos/postfix_restrictions ########### |
|
########################################################################### |
# Restrictions that apply when a client connects. # |
########################################################################### |
smtpd_client_restrictions = permit_mynetworks, |
# Any user that is authenticated may send E-Mail regardless the |
# connection or any restrictions that follow. |
permit_sasl_authenticated, |
# Only accept connections with proper hostname to IP (reverse) DNS. |
reject_unknown_client_hostname, |
# Major RBLs matching clients. |
reject_rbl_client sbl.spamhaus.org, |
reject_rbl_client zen.spamhaus.org, |
reject_rbl_client xbl.spamhaus.org, |
reject_rbl_client pbl.spamhaus.org, |
reject_rbl_client cbl.abuseat.org, |
reject_rbl_client bl.spamcop.net, |
permit |
|
########################################################################### |
# Restrictions that apply at: HELO / EHLO # |
########################################################################### |
# smtpd_helo_required makes sending HELo / EHLO mandatory for clients |
smtpd_helo_required = yes |
smtpd_helo_restrictions = permit_mynetworks, |
# Any HELO / EHLO will be accepted from any authenticated client |
# regardless of any rules that follow. |
permit_sasl_authenticated, |
# These checks have to be performed after permitting SASL |
# authenticated clients since the strategy of this template is to |
# always accept from authenticated clients. |
reject_non_fqdn_helo_hostname, |
reject_invalid_helo_hostname, |
# This is disabled because a client may send an HELO / EHLO with the |
# hostname of the computer where the E-Mail originates and although |
# that hostname may be valid on the local LAN of the client, the |
# hostname may be an invalid hostname on the WAN. |
# reject_unknown_helo_hostname, |
# Major RBLs matching HELO / EHLO. |
reject_rhsbl_helo dbl.spamhaus.org, |
permit |
|
########################################################################### |
# Restrictions that apply at: MAIL FROM # |
########################################################################### |
smtpd_sender_restrictions = permit_mynetworks, |
# Any authenticated client may send E-Mail (with the next exception) |
permit_sasl_authenticated, |
# This restriction prevents the following scenario: |
# I am joe@mail.tld, I authenticate as joe to the mail-server at |
# mail.tld and set the MAIL FROM to sally@mail.tld and the server |
# accepts it. |
reject_authenticated_sender_login_mismatch, |
reject_non_fqdn_sender, |
reject_unknown_sender_domain, |
# Major RBLs matching sender. |
reject_rhsbl_sender dbl.spamhaus.org, |
permit |
|
########################################################################### |
# Restrictions that apply before: RCPT TO # |
########################################################################### |
# Legacy restrictions used for older Postfix versions and an possibly be # |
# omitted altogether since smtpd_recipient_restrictions will apply. # |
########################################################################### |
smtpd_relay_restrictions = permit_mynetworks, |
# Any authenticated user may use the server as a relay. |
permit_sasl_authenticated, |
reject_unauth_destination, |
permit |
|
########################################################################### |
# Restrictions that apply at: RCPT TO # |
########################################################################### |
smtpd_recipient_restrictions = permit_mynetworks, |
# An authenticated client may send E-Mail to any destination. |
permit_sasl_authenticated, |
reject_unauth_destination, |
reject_unknown_recipient_domain, |
reject_non_fqdn_recipient, |
# In case it is already known (Postfix - verify) that the |
# destination (recipient) of an E-Mail is unreachable, then do not |
# accept the E-Mail in the first place. |
reject_unverified_recipient, |
permit |
|
########################################################################### |
# Restrictions that apply at: DATA (content body) # |
########################################################################### |
smtpd_data_restrictions = permit_mynetworks, |
# An authenticated client may send any content body. |
permit_sasl_authenticated, |
sleep 3, |
reject_unauth_pipelining, |
permit |