configuration-templates – Rev 22

Subversion Repositories:
Rev:
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
# Restrictions template for Postfix >= 2.10                               #
###########################################################################
# The general strategy is to accept anything from authenticated clients   #
# except cases where MAIL FROM is set to a client other than the given    #
# authenticated client (in the latter case, to prevent E-Mail spoofing)   #
#                                                                         #
# The terminology "restrictions that apply AT" (instead of "apply TO") is #
# used due to some restrictions proceeding others during an SMTP session. #
#                                                                         #
# Requirements:                                                           #
#   - The SMTP server MUST be configured with SASL authentication         #
#     (regardless whether through Dovecot, Cyrus SASL, etc...)            #
#                                                                         #
###### Session Example Illustrating the Application of Restrictions. ######
# telnet 192.168.0.2 25                                                   #
# Trying 192.168.0.2...                                                   #
# Connected to 192.168.0.2 (192.168.0.2).                                 #
# Escape character is '^]'.                                               #
# 220 mail.example.com ESMTP Postfix    # <-smtp_client_restrictions      #
# HELO mail.example.com                 # <-smtp_helo_restrictions        #
# 250 mail.example.com                                                    #
# MAIL FROM:<ned@example.com>           # <-smtp_sender_restrictions      #
# 250 2.1.0 Ok                                                            #
# RCPT TO:<ned@example.com>             # <-smtp_recipient_restrictions   #
# 250 2.1.5 Ok                                                            #
# DATA                                  # <-smtp_data_restrictions        #
# 354 End data with <CR><LF>.<CR><LF>                                     #
# To:<ned@example.com>                  # <-header_checks                 #
# From:<ned@example.com>                                                  #
# Subject:SMTP Test                                                       #
# This is a test message                # <-body_checks                   #
# .                                                                       #
# 250 2.0.0 Ok: queued as 301AE20034                                      #
# QUIT                                                                    #
# 221 2.0.0 Bye                                                           #
# Connection closed by foreign host.                                      #
########### https://wiki.centos.org/HowTos/postfix_restrictions ###########

###########################################################################
# Restrictions that apply when a client connects.                         #
###########################################################################
smtpd_client_restrictions = permit_mynetworks,
    # Any user that is authenticated may send E-Mail regardless the
    # connection or any restrictions that follow.
    permit_sasl_authenticated,
    # Only accept connections with proper hostname to IP (reverse) DNS.
    reject_unknown_client_hostname,
    # Major RBLs matching clients.
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client xbl.spamhaus.org,
    reject_rbl_client pbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client bl.spamcop.net,
    permit

###########################################################################
# Restrictions that apply at: HELO / EHLO                                 #
###########################################################################
# smtpd_helo_required makes sending HELo / EHLO mandatory for clients
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
    # Any HELO / EHLO will be accepted from any authenticated client
    # regardless of any rules that follow.
    permit_sasl_authenticated,
    # These checks have to be performed after permitting SASL
    # authenticated clients since the strategy of this template is to
    # always accept from authenticated clients.
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    # This is disabled because a client may send an HELO / EHLO with the
    # hostname of the computer where the E-Mail originates and although 
    # that hostname may be valid on the local LAN of the client, the 
    # hostname may be an invalid hostname on the WAN.
#    reject_unknown_helo_hostname,
    # Major RBLs matching HELO / EHLO.
    reject_rhsbl_helo dbl.spamhaus.org,
    permit

###########################################################################
# Restrictions that apply at: MAIL FROM                                   #
###########################################################################
smtpd_sender_restrictions = permit_mynetworks,
    # Any authenticated client may send E-Mail (with the next exception)
    permit_sasl_authenticated,
    # This restriction prevents the following scenario: 
    # I am joe@mail.tld, I authenticate as joe to the mail-server at
    # mail.tld and set the MAIL FROM to sally@mail.tld and the server
    # accepts it.
    reject_authenticated_sender_login_mismatch,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    # Major RBLs matching sender.
    reject_rhsbl_sender dbl.spamhaus.org,
    permit

###########################################################################
# Restrictions that apply before: RCPT TO                                 #
###########################################################################
# Legacy restrictions used for older Postfix versions and an possibly be  #
# omitted altogether since smtpd_recipient_restrictions will apply.       #
###########################################################################
smtpd_relay_restrictions = permit_mynetworks,
    # Any authenticated user may use the server as a relay.
    permit_sasl_authenticated,
    reject_unauth_destination,
    permit

###########################################################################
# Restrictions that apply at: RCPT TO                                     #
###########################################################################
smtpd_recipient_restrictions = permit_mynetworks,
    # An authenticated client may send E-Mail to any destination.
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_unknown_recipient_domain,
    reject_non_fqdn_recipient,
    # In case it is already known (Postfix - verify) that the
    # destination (recipient) of an E-Mail is unreachable, then do not
    # accept the E-Mail in the first place.
    reject_unverified_recipient,
    permit

###########################################################################
# Restrictions that apply at: DATA (content body)                         #
###########################################################################
smtpd_data_restrictions = permit_mynetworks,
    # An authenticated client may send any content body.
    permit_sasl_authenticated,
    sleep 3,
    reject_unauth_pipelining,
    permit

Generated by GNU Enscript 1.6.5.90.