Re: Postfix relay problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luc MAIGNAN wrote:
> Thanks for your response :
You're welcome.
Luc, do me a favour and don't top-post to the list - it makes context
much harder to follow. For me, at least (before we start that particular
troll-fest again)
> 
> I've put in main.cf :
> 
> smtpd_helo_required = yes
which will only reject a few weird clients.

> smtpd_recipient_restrictions = reject_unknown_recipient_domain, 
> reject_unauth_destination

man 5 postconf will tell you that smtpd_recipient_restrictions
stops at the first matching restriction and that neither
reject_unknown_recipient_domain or reject_unauth_destination match any
mail with sender-specified routing. If you have no blanket reject, they
will probably be permitted to relay.

AIUI your restrictions are not matching the email that you wish to
stop... this is probably due to 'sender-specified routing' as mentioned
above. This may be why it is getting through.

It is possible thay are using the 'percent hack' to achieve this:
try setting
allow_percent_hack = no
in main.cf to disallow this.
(it's an old relaying trick. Postfix permits it by default)

so, have you tried finishing with a blanket reject rule?

smtpd_recipient_restrictions = permit_auth_destination, reject

Will allow users/hosts to send to your domains, but should reject
everything else (including the 'unknown destination' stuff)

The problem with this is allowing certain hosts to relay.
How is this mailserver intended to work? is it simply a final
destination for email for your virtual domains? Or do you also have to
permit relaying from some users/hosts?


> Result of postconf -n is :
<snipped for my random commentary>
> manpage_directory = /usr/local/man
seriously? is this running on Fedora?

> mynetworks = 192.168.26.0/24, 192.168.62.0/24, 127.0.0.0/8
Incidentally IMHO there is no real reason to set mynetworks to anything
if you aren't using it in restrictions... (/me waits to be shot down on
that one.) My internet-facing server just has mynetworks_style=host and
mynetworks is not set at all. Works fine...
or you can just set it to the localhost address,

> mynetworks_style = host
/me likes using this

> relay_domains = mydomain1.com mydomain2.com mydomain3.com
so this is the parameter used by  reject_unauth_destination.


## original example for context:
>>>> 24BDEE7918: to=<donna@xxxxxxxxxxxxxx>,
>>>> relay=smtp1.msp.securence.com[216.17.3.48]:25, delay=3.3,
>>>> delays=0.02/0.01/1.2/2.1, dsn=2.0.0, status=sent (250 OK, queued as
>>>> <20070429143657.24BDEE7918@
>>>>
>>>> How can I deny these mails, and deny use of another relay ?


- --
Stuart Sears RHCA RHCSS PDF ODT DUI
"The PM's claims on this subject are not exactly lies, so much as
fact-free."
http://www.no2id.net/news/pressRelease/release.php?name=Blair_Fact-Free
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGNOrvamPtx1brPQ4RAj1iAJ9HddeNcaS2j2Lt8qJSq0MvpV7chwCfQBnd
R1Bmwb5D9jU23LeK7GjKvls=
=TR5t
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux