configuration-templates – Rev 22
?pathlinks?
###########################################################################
## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ##
## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ##
## rights of fair usage, the disclaimer and warranty conditions. ##
###########################################################################
# Restrictions template for Postfix >= 2.10 #
###########################################################################
# The general strategy is to accept anything from authenticated clients #
# except cases where MAIL FROM is set to a client other than the given #
# authenticated client (in the latter case, to prevent E-Mail spoofing) #
# #
# The terminology "restrictions that apply AT" (instead of "apply TO") is #
# used due to some restrictions proceeding others during an SMTP session. #
# #
# Requirements: #
# - The SMTP server MUST be configured with SASL authentication #
# (regardless whether through Dovecot, Cyrus SASL, etc...) #
# #
###### Session Example Illustrating the Application of Restrictions. ######
# telnet 192.168.0.2 25 #
# Trying 192.168.0.2... #
# Connected to 192.168.0.2 (192.168.0.2). #
# Escape character is '^]'. #
# 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions #
# HELO mail.example.com # <-smtp_helo_restrictions #
# 250 mail.example.com #
# MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions #
# 250 2.1.0 Ok #
# RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions #
# 250 2.1.5 Ok #
# DATA # <-smtp_data_restrictions #
# 354 End data with <CR><LF>.<CR><LF> #
# To:<ned@example.com> # <-header_checks #
# From:<ned@example.com> #
# Subject:SMTP Test #
# This is a test message # <-body_checks #
# . #
# 250 2.0.0 Ok: queued as 301AE20034 #
# QUIT #
# 221 2.0.0 Bye #
# Connection closed by foreign host. #
########### https://wiki.centos.org/HowTos/postfix_restrictions ###########
###########################################################################
# Restrictions that apply when a client connects. #
###########################################################################
smtpd_client_restrictions = permit_mynetworks,
# Any user that is authenticated may send E-Mail regardless the
# connection or any restrictions that follow.
permit_sasl_authenticated,
# Only accept connections with proper hostname to IP (reverse) DNS.
reject_unknown_client_hostname,
# Major RBLs matching clients.
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
permit
###########################################################################
# Restrictions that apply at: HELO / EHLO #
###########################################################################
# smtpd_helo_required makes sending HELo / EHLO mandatory for clients
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
# Any HELO / EHLO will be accepted from any authenticated client
# regardless of any rules that follow.
permit_sasl_authenticated,
# These checks have to be performed after permitting SASL
# authenticated clients since the strategy of this template is to
# always accept from authenticated clients.
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
# This is disabled because a client may send an HELO / EHLO with the
# hostname of the computer where the E-Mail originates and although
# that hostname may be valid on the local LAN of the client, the
# hostname may be an invalid hostname on the WAN.
# reject_unknown_helo_hostname,
# Major RBLs matching HELO / EHLO.
reject_rhsbl_helo dbl.spamhaus.org,
permit
###########################################################################
# Restrictions that apply at: MAIL FROM #
###########################################################################
smtpd_sender_restrictions = permit_mynetworks,
# Any authenticated client may send E-Mail (with the next exception)
permit_sasl_authenticated,
# This restriction prevents the following scenario:
# I am joe@mail.tld, I authenticate as joe to the mail-server at
# mail.tld and set the MAIL FROM to sally@mail.tld and the server
# accepts it.
reject_authenticated_sender_login_mismatch,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
# Major RBLs matching sender.
reject_rhsbl_sender dbl.spamhaus.org,
permit
###########################################################################
# Restrictions that apply before: RCPT TO #
###########################################################################
# Legacy restrictions used for older Postfix versions and an possibly be #
# omitted altogether since smtpd_recipient_restrictions will apply. #
###########################################################################
smtpd_relay_restrictions = permit_mynetworks,
# Any authenticated user may use the server as a relay.
permit_sasl_authenticated,
reject_unauth_destination,
permit
###########################################################################
# Restrictions that apply at: RCPT TO #
###########################################################################
smtpd_recipient_restrictions = permit_mynetworks,
# An authenticated client may send E-Mail to any destination.
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_non_fqdn_recipient,
# In case it is already known (Postfix - verify) that the
# destination (recipient) of an E-Mail is unreachable, then do not
# accept the E-Mail in the first place.
reject_unverified_recipient,
permit
###########################################################################
# Restrictions that apply at: DATA (content body) #
###########################################################################
smtpd_data_restrictions = permit_mynetworks,
# An authenticated client may send any content body.
permit_sasl_authenticated,
sleep 3,
reject_unauth_pipelining,
permit
Generated by GNU Enscript 1.6.5.90.