How Do I Whitelist a reject_unknown_sender_domain
John Thomas
reject_unknown_sender_domain. How can I whitelist these senders?
Feel free to comment on anything else that is rather dumb/questionable
in my setup as I know little, but am trying. Thanks for your help.
Requisite postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
body_checks = regexp:/etc/postfix/body_checks
body_checks_size_limit = 25600
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 10m
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 81920000
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 81920000
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost,
mysql:/etc/postfix/mysql-mydestination.cf
mydomain = redacted
myhostname = redacted
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/newcert.pem
smtp_tls_key_file = /etc/postfix/newreq.pem
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining,
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unknown_sender_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access hash:/etc/postfix/bad_reject_recipients,
check_helo_access hash:/etc/postfix/helo_access, check_helo_access
regexp:/etc/postfix/helo_access_regexp, reject_non_fqdn_hostname,
reject_invalid_hostname, check_sender_access
hash:/etc/postfix/dnsbl-whitelist, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client relays.ordb.org, reject_rbl_client list.dsbl.org,
check_policy_service inet:127.0.0.1:2501, check_recipient_access
hash:/etc/postfix/amavisd_access, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/bad_reject_senders, permit
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf,
hash:/etc/mailman/virtual-mailman
Noel Jones
>I have senders (a mailing list) that are rejected because of a
>reject_unknown_sender_domain. How can I whitelist these
>senders?
Since you have all your restrictions in
smtpd_recipient_restrictions, you need to be careful with
this so you don't turn yourself into an open relay. The
solution is to move both the whitelist and
reject_non_fqdn_sender to smtpd_SENDER_restrictions.
# sender_whitelist
bogus.example.com OK
# main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_whitelist
reject_non_fqdn_sender
and remove "reject_non_fqdn_sender" from your
smtpd_recipient_restrictions.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
--
Noel Jones
Devdas Bhagat
> At 09:12 PM 6/29/2006, John Thomas wrote:
> >I have senders (a mailing list) that are rejected because of a
> >reject_unknown_sender_domain. How can I whitelist these
> >senders?
>
> Since you have all your restrictions in
> smtpd_recipient_restrictions, you need to be careful with
> this so you don't turn yourself into an open relay. The
> solution is to move both the whitelist and
> reject_non_fqdn_sender to smtpd_SENDER_restrictions.
>
reject_unauth_destination
check_sender_access hash:/etc/postfix/sender_whitelist
reject_non_fqdn_sender
should work too.
Devdas Bhagat
Noel Jones
>smtpd_recipient_restriction =
> reject_unauth_destination
> check_sender_access
> hash:/etc/postfix/sender_whitelist
> reject_non_fqdn_sender
>
>should work too.
Once you add in the missing permit_mynetworks, the above
won't prevent internal users from using a bogus sender domain.
If:
a) you want to prevent internal users from using an unknown
sender domain - a reasonable policy
**and**
b) you need to whitelist some bogus domain you must accept
mail from
the safest thing is to put the whitelist and
reject_unknown_sender_domain under
smtpd_sender_restrictions. (I mistakenly used
reject_non_fqdn_sender in earlier examples, but the same
principle applies). While it is possible to do this safely
under smtpd_recipient_restrictions by using
permit_auth_destination rather than OK, I think it best to
not tempt fate.
--
Noel Jones
Devdas Bhagat
> At 12:42 AM 7/1/2006, Devdas Bhagat wrote:
> >smtpd_recipient_restriction =
> > reject_unauth_destination
> > check_sender_access
> >hash:/etc/postfix/sender_whitelist
> > reject_non_fqdn_sender
> >
> >should work too.
>
> Once you add in the missing permit_mynetworks, the above
> won't prevent internal users from using a bogus sender domain.
>
smtpd_sender_login_maps. However, this is a policy decision and the
choice to add a little bit more complexity to the configuration over
controlling user configurations is left to the poster.
Devdas Bhagat