Performance
Peter Russell
pete at enitech.com.au
Fri Feb 2 02:40:39 CET 2007
Glenn Steen wrote:
> On 02/02/07, Peter Russell <pete at enitech.com.au> wrote:
>>
>>
>> Glenn Steen wrote:
>> > On 01/02/07, Peter Russell <pete at enitech.com.au> wrote:
>> >>
>> >>
>> >> Glenn Steen wrote:
>> >> > On 31/01/07, Peter Russell <pete at enitech.com.au> wrote:
>> > (snip even more)
>> >> >> >> relay_domains = katy.com katy.net katycomputer.com
>> schmerold.com
>> >> >> > Why is there no "companion" relay_recipient_maps? You should
>> reject
>> >> >> > unknown recipients.
>> >> >> >
>> >> >> >> smtpd_data_restrictions = reject_unauth_pipelining, permit
>> >> >> >> smtpd_helo_required = yes
>> >> >> > Here you should perhaps have a
>> >> >> > smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>> >> >> > hash:/etc/postfix/deny_domain_spoof
>> >> >> > Where the deny_domain_spoof is simply an access file detailing
>> the
>> >> >> > domains and IP addresses you relay for like "katy.com REJECT".
>> >> Will be
>> >> >> > perfectly safe to use.
>> >> >>
>> >> >> Glenn - should he have REJECT for domains he relays for?
>> >> > Yes. The thinking here is to REJECT anyone pretending to be either
>> >> > your domain (your MX) or any of the "internal/trusted" IP addresses,
>> >> > unless they really are... The permit_mynetworks take care of not
>> >> > rejecting things that shouldn't be rejected:).
>> >> > As said, perfectly safe;-).
>> >> > This one rejects a few every day.
>>
>> Thanks Glenn, i implemented the changes you suggested and now i get
>> legitimate hosts being blocked.
> Um and you'er thanking me for this?-):-)... If the hosts being blocked
> should be in your mynetworks, but aren't, that would indeed reject
> messages from those machines. But other than that.... Nah, show me
> some logs:-).
>
>> postfix/smtpd[10874]: warning: 203.35.216.230: hostname
>> gateway.davidjones.com.au verification failed: Name or service not known
> This isn't a reject, merely a verification warning. You shouldn't be
> losing any mails by this.
> As you can gather, I'm not quite convinced you are missing out on
> anything relevant/having a real problem here. In this particular
> case, you can check it yourself... the reverse lookup leads to
> gateway.davidjones.com.au, and the forward lookup for that leads...
> nowhere. And that is all that log entry is about. If it bothers you
> and they are a business contact, go ahead and tell them to fix that
> leftover PTR (which is likely what it might be:).
> Look for the NOQUEUE lines in the log. Do these coreespond with any
> reported (by people:-) errors?
>
As you say, after i posted it i did some further research and found it
was just a warning - thanks for the explanation.
>> I will leave off making any more MTA changes until one of the clever
>> cloggs can post up some tips...
> Um, english parser breakdown... Isn't a clogg a sort of wooden shoe?
> And a clever clogg is then an intelligent footwear? Sort of an AI for
> pedestrian appliances?:-)
Well i didnt wanna say geeks - but there you go you have forced me. :)
>
>> Thanks
>> Pete
>
I made some changes to my main.cf and then telnet in to my server from
another network, i can get through helo, MAIL FROM with false info - no
warnings, errors or disconnects. Any idea where i am going wrong? (i
have exclude all my pre existing transport map, relay domains type
config) Appreciate any tips or suggestions.
Pete
smtpd_client_restrictions = hash:/etc/postfix/access
permit_mynetworks
sleep 4
reject_unauth_pipelining
permit
smtpd_helo_required = yes
smptd_helo_restrictions =
sleep 1
permit_mynetworks
check_helo_access hash:/etc/postfix/deny_domain_spoof
reject_unauth_pipelining
permit
smtpd_recipient_restrictions =
hash:/etc/postfix/access
reject_invalid_hostname
reject_non_fqdn_hostname
permit_auth_destination
reject_unauth_destination
reject_non_fqdn_sender
permit
relay_recipient_maps = hash:/etc/postfix/Recipients-AD,
hash:/etc/postfix/Recipients-AL,
regexp:/etc/postfix/Recipients-Manual,
More information about the MailScanner
mailing list