I think that thing smtpd_recipient_restrictions does not work

[Condor]

Hello,
i have postfix 2.7.2 and i have problem with restrictions. I setup
smtpd_recipient_restrictions here is my main.cf config file:

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_checks,
check_sender_access hash:/etc/postfix/helo_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_sender,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
reject_rbl_client pbl.spamhaus.org,
permit

That file pcre:/etc/postfix/recipient_checks.pcre contain:
/^\@/ 550 Invalid address format.
/[!%\@].*\@/ 550 This server disallows weird address syntax.
/^postmaster\@/ OK
/^hostmaster\@/ OK
/^abuse\@/ OK
/^nobody\@/ REJECT

After i create file i do:
postmap hash:/etc/postfix/recipient_checks.pcre

and postfix reload / restart (few times)

and i still can send email from yahoo to nobody on my server. Also i see
that spam ip-s that is blocked on bl.spamcop.net for example still can
send me email. That rule reject_rbl_client bl.spamcop.net does not block
them. Any one can help and tell me where is my mistake ?

--
Regards,
Condor

[Noel Jones]

Don't escape the @ in pcre tables. ie:
/^nobody@/ REJECT nobody isn't here.

couple of nitpicks:
It's generally better to use "REJECT [optional text]" rather
than "550 [optional text]" because if you forget the optional
text, an all-numeric response means OK. It's also better to
use the optional text so that YOU know why a message was
rejected and can help folks whose mail is incorrectly handled.

Your RBL list is a mess. Several of the lists you are
querying are dead -- securitysage, wirehub, easynet, dsbl.org,
maybe others. You should use zen.spamhaus.org rather than the
other spamhaus lists.
You need to carefully review your RBLs once in a while and
make sure they are still active and doing what you expect.

>
> After i create file i do:
> postmap hash:/etc/postfix/recipient_checks.pcre

There is no need to postmap a pcre file.

>
> and postfix reload / restart (few times)

If it didn't work once, it probably won't work the next time.

>
> and i still can send email from yahoo to nobody on my server. Also i see
> that spam ip-s that is blocked on bl.spamcop.net for example still can
> send me email. That rule reject_rbl_client bl.spamcop.net does not block
> them. Any one can help and tell me where is my mistake ?
>
>

Does postconf smtpd_recipient_restrictions show the the same
as what you've posted above?

If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail
http://www.postfix.org/documentation.html

-- Noel Jones

[Mike Morris]

Additionally, doesn't this configuration make the server in question an
open relay? The recipient_checks.pcre file returns an OK when the RHS
of an email address is anything for an LHS of postmater, hostmaster, and
abuse, and it immediately precedes reject_unauth_destination in
smtpd_recipient_restrictions.

What is the purpose of configuring recipient validation in such a
manner? The OP would be better served by correctly configuring the
proper address classes.

-Mike

[Noel Jones]

Yes, you're right. reject_unauth_destination should be
directly after permit_mynetworks, permit_sasl_authenticated.

>
> What is the purpose of configuring recipient validation in such a
> manner? The OP would be better served by correctly configuring the
> proper address classes.

It's not uncommon to whitelist role accounts before anti-UCE
checks, and nothing wrong with using the same file to reject
recipients that should never receive mail. But the whitelist
should always be *after* reject_unauth_destination.

-- Noel Jones

[Mike Morris]

Yeah, I realized why this might be useful after I sent my last response.
Years ago I gave up and started subjecting role accounts to anti-UCE
rules, so I suppose such a purpose doesn't immediately register with me
any more.

-Mike

[Jerrale G]

> and nothing wrong with using the same file to reject recipients that
> should never receive mail. But the whitelist should always be *after*
> reject_unauth_destination.
>
>
> -- Noel Jones

As noel said, as long as you have everything defining custom policies,
like check_*_access or anything else relating going under
smtpd_recipient_restrictions to come AFTER reject_unauth_destination.
Also, as an anti-openrelay failsafe, you should put "OK 250 custom
message here" instead of "permit 250 custom message". OK says to keep
processing other restrictions but override any header,hostname, or etc
checks in this class; permit would override everything, causing open relay!

Speaking of access lists, a question Mike Morris may also have for 2.8,
we tried putting postscreen_access_list = permit_mynetworks,
permit_sasl_authenticated but it doesn't allow "permit_sasl_authenticated".

Jerrale G.
SC Senior Admin

[Noel Jones]

On 1/21/2011 8:12 PM, Jerrale G wrote:
...

> reject_unauth_destination. Also, as an anti-openrelay
> failsafe, you should put "OK 250 custom message here" instead
> of "permit 250 custom message".

No, OK and permit are the same.

Technically, OK is an access map result, permit is a
smtpd_*_restrictions keyword. But they both do exactly the
same thing, which is skip to the next smtpd_*_restrictions
section.

And "permit text" doesn't work everywhere that "OK text"
works. And the optional numbers after OK or REJECT is an
RFC3463 enhanced response code in the format d.d.d, not a SMTP
reply like 250 or 550. Postfix automatically supplies an
appropriate enhanced response code, so don't make one up until
you read the docs.
http://tools.ietf.org/html/rfc3463

> OK says to keep processing
> other restrictions but override any header,hostname, or etc
> checks in this class; permit would override everything,
> causing open relay!

Nonsense, read the postfix docs.

>
> Speaking of access lists, a question Mike Morris may also have
> for 2.8, we tried putting postscreen_access_list =
> permit_mynetworks, permit_sasl_authenticated but it doesn't
> allow "permit_sasl_authenticated".

postscreen only works on the client IP, and operates before
client hostname lookup and before SASL authentication. Only
IPs or IP based tables can be used in the
postscreen_access_list entry.

As a general rule, your remote users should connect on the
submission or smtps port, and you shouldn't enable postscreen
there.

-- Noel Jones

[Condor]

> On 1/21/2011 5:08 PM, Condor wrote:
>>
>> Hello,
>> i have postfix 2.7.2 and i have problem with restrictions. I setup
>> smtpd_recipient_restrictions here is my main.cf config file:
>>
>>
>

> Your RBL list is a mess. Several of the lists you are
> querying are dead -- securitysage, wirehub, easynet, dsbl.org,
> maybe others. You should use zen.spamhaus.org rather than the
> other spamhaus lists.
> You need to carefully review your RBLs once in a while and
> make sure they are still active and doing what you expect.
>
>
>>
>> After i create file i do:
>> postmap hash:/etc/postfix/recipient_checks.pcre
>
> There is no need to postmap a pcre file.
>
>>
>> and postfix reload / restart (few times)
>
> If it didn't work once, it probably won't work the next time.
>
>>
>> and i still can send email from yahoo to nobody on my server. Also i see
>> that spam ip-s that is blocked on bl.spamcop.net for example still can
>> send me email. That rule reject_rbl_client bl.spamcop.net does not block
>> them. Any one can help and tell me where is my mistake ?
>>
>>
>
> Does postconf smtpd_recipient_restrictions show the the same
> as what you've posted above?
>

Yes, i did not post it because i posted in previous email but here is it
again:

# postconf smtpd_recipient_restrictions

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, check_helo_access

hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/helo_checks, check_recipient_access

pcre:/etc/postfix/recipient_checks.pcre, reject_invalid_hostname,

reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unlisted_sender,

reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dyna.spamrats.com, reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client db.wpbl.info, permit

I change my rbl lists and will see did they work, but this
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre still does
not work. I change my file as you tell me:
/^@/ REJECT 550 Invalid address format.
/[!%@].*@/ REJECT 550 This server disallows weird address syntax.
/^postmaster@/ OK
/^hostmaster@/ OK
/^abuse@/ OK
/^nobody@/ REJECT 550 User is unknow.

Reload postfix configuration once and after that i still can receive email
to nobody mailbox.
I can't find why isn't work. Any advice what i can do ? I change to
check_recipient_access to hash:/etc/postix/block that contain
nob...@my-domain.com REJECT Go away postmap and reload but again does not
work. Server just pass the mail to nobody.

--
Regards,
Condor

[Mike Morris]

What are the contents of the file /etc/postfix/helo_checks? Your server
also does not reject on the restrictions reject_non_fqdn_sender,
reject_unknown_sender_domain, or reject_non_fqdn_recipient. Something
is generating an 'OK' or 'permit' result prior to those checks. Maybe
it's time you provided your current postconf -n output, as well as the
full contents of access maps you're using.

Also, replacing your 'OK' results in your access maps with
permit_auth_destination may be safer in case you accidentally move them
after reject_unauth_destination again in the future.

-Mike

[Condor]

Here is my configuration from postconf -n

alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
message_size_limit = 30720000
myhostname = mail.my-domain.com
mynetworks = 46.40.123.212/32 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
proxy_read_maps = $local_recipient_maps $mydestionation
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_invalid_helo_hostname, reject_unknown_helo_hostname,
reject_non_fqdn_helo_hostname, permit

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, check_helo_access
hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/helo_checks, check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre, reject_invalid_hostname,
reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unlisted_sender,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dyna.spamrats.com, reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client db.wpbl.info, permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/mail.my-domain.com.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.my-domain.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.my-domain.com.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:1005
virtual_mailbox_base = /var/spool/postmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:1004

And here is content of helo_check file:

domain1.com REJECT You are not in domain1.com
domain2.net REJECT You are not in domain2.net
my-domain.com REJECT You are not in my-domain.com
domain3.com REJECT You are not in domain3.com

# Somebody HELO'ing with our IP address?
192.168.1.2 REJECT You are not 192.168.1.2

# Somebody HELO'ing as "localhost?" Impossible, we're "localhost"
localhost REJECT You are not me

--
Regards,
Condor

[Noel Jones]

On 1/22/2011 1:20 AM, Condor wrote:
>
>> On 1/21/2011 5:08 PM, Condor wrote:
>>>
>>> Hello,
>>> i have postfix 2.7.2 and i have problem with restrictions. I setup
>>> smtpd_recipient_restrictions here is my main.cf config file:
>>>
>>>
>>
>> Your RBL list is a mess. Several of the lists you are
>> querying are dead -- securitysage, wirehub, easynet, dsbl.org,
>> maybe others. You should use zen.spamhaus.org rather than the
>> other spamhaus lists.
>> You need to carefully review your RBLs once in a while and
>> make sure they are still active and doing what you expect.
>>
>>
>>>
>>> After i create file i do:
>>> postmap hash:/etc/postfix/recipient_checks.pcre
>>
>> There is no need to postmap a pcre file.
>>
>>>
>>> and postfix reload / restart (few times)
>>
>> If it didn't work once, it probably won't work the next time.
>>
>>>
>>> and i still can send email from yahoo to nobody on my server. Also i see
>>> that spam ip-s that is blocked on bl.spamcop.net for example still can
>>> send me email. That rule reject_rbl_client bl.spamcop.net does not block
>>> them. Any one can help and tell me where is my mistake ?
>>>
>>>
>>

>> Does postconf smtpd_recipient_restrictions show the the same
>> as what you've posted above?
>>
>
> Yes, i did not post it because i posted in previous email but here is it
> again:
>

How are you testing it? Show postfix logging of unwanted mail
being accepted.

-- Noel Jones

[Condor]

Here is the log file sent from my yahoo account, i replace yahoo.com with
yahoo-mail.com to did not receive spam from bots..

Jan 22 16:59:59 www postfix/smtpd[21535]: connect from
web36803.mail.mud.yahoo.com[209.191.85.54]
Jan 22 16:59:59 www dkimproxy.in[31073]: connect from 127.0.0.1
Jan 22 16:59:59 www dkimproxy.out[8864]: connect from 127.0.0.1
Jan 22 16:59:59 www postfix/smtpd[21539]: connect from localhost[127.0.0.1]
Jan 22 16:59:59 www postfix/smtpd[21535]: NOQUEUE:
client=web36803.mail.mud.yahoo.com[209.191.85.54]
Jan 22 16:59:59 www postfix/smtpd[21539]: BBF49104E5C:
client=localhost[127.0.0.1]
Jan 22 17:00:00 www dkimproxy.in[31073]: DKIM verify - pass;
message-id=<120241....@web36803.mail.mud.yahoo.com>,
signer=<con...@yahoo-mail.com>, from=<con...@yahoo-mail.com>
Jan 22 17:00:00 www dkimproxy.out[8864]: DKIM signing - skipped;
message-id=<120241....@web36803.mail.mud.yahoo.com>,
from=<con...@yahoo-mail.com>
Jan 22 17:00:00 www postfix/cleanup[21540]: BBF49104E5C:
message-id=<120241....@web36803.mail.mud.yahoo.com>
Jan 22 17:00:00 www postfix/qmgr[11730]: BBF49104E5C:
from=<con...@yahoo-mail.com>, size=2111, nrcpt=1 (queue active)
Jan 22 17:00:00 www postfix/smtpd[21535]: proxy-accept: END-OF-MESSAGE:
250 2.0.0 Ok: queued as BBF49104E5C; from=<con...@yahoo-mail.com>
to=<nob...@my-domain.com> proto=SMTP helo=<web36803.mail.mud.yahoo.com>
Jan 22 17:00:00 www spamd[1613]: spamd: connection from localhost
[127.0.0.1] at port 39319
Jan 22 17:00:00 www spamd[1613]: spamd: handle_user unable to find user:
'nob...@stz-bg.com'
Jan 22 17:00:00 www spamd[1613]: spamd: processing message
<120241....@web36803.mail.mud.yahoo.com> for
nob...@my-domain.com:1002
Jan 22 17:00:01 www spamd[1613]: Use of uninitialized value in lc at
/usr/lib/perl5/site_perl/5.12.2/Mail/SpamAssassin/Plugin/MIMEEval.pm line
501, <GEN467> line 40.
Jan 22 17:00:01 www postfix/smtpd[21535]: disconnect from
web36803.mail.mud.yahoo.com[209.191.85.54]
Jan 22 17:00:09 www spamd[1613]: spamd: clean message (-0.1/5.0) for
nob...@my-domain.com:1002 in 9.1 seconds, 2143 bytes.
Jan 22 17:00:09 www spamd[1613]: spamd: result: . 0 -
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,T_RP_MATCHES_RCVD,T_TO_NO_BRKTS_FREEMAIL
scantime=9.1,size=2143,user=nob...@my-domain.com,uid=1002,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=39319,mid=<120241....@web36803.mail.mud.yahoo.com>,autolearn=ham
Jan 22 17:00:10 www dovecot: lda(nob...@my-domain.com): sieve:
msgid=<120241....@web36803.mail.mud.yahoo.com>: stored mail into
mailbox 'INBOX'
Jan 22 17:00:10 www postfix/pipe[21541]: BBF49104E5C:
to=<nob...@my-domain.com>, relay=dovecot, delay=10, delays=1.1/0.01/0/9.2,
dsn=2.0.0, status=sent (delivered via dovecot service)
Jan 22 17:00:10 www postfix/qmgr[11730]: BBF49104E5C: removed
Jan 22 17:00:10 www spamd[1609]: prefork: child states: II

--
Regards,
Condor

[Noel Jones]

Show unmodified "postconf -n" and non-comment entries from
master.cf (grep -v '^#' master.cf).

-- Noel Jones

[Ralf Hildebrandt]

* Condor <con...@stz-bg.com>:

> reject_rhsbl_client blackhole.securitysage.com,
> reject_rhsbl_sender blackhole.securitysage.com,

These may be dead

> reject_rbl_client relays.ordb.org,
dead

> reject_rbl_client blackholes.easynet.nl,
dead

> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client pbl.spamhaus.org,
rather use zen.spamhaus.org

> reject_rbl_client proxies.blackholes.wirehub.net,
might be dead

> reject_rbl_client bl.spamcop.net,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client multihop.dsbl.org,

> permit
>
> That file pcre:/etc/postfix/recipient_checks.pcre contain:
> /^\@/ 550 Invalid address format.
> /[!%\@].*\@/ 550 This server disallows weird address syntax.
> /^postmaster\@/ OK
> /^hostmaster\@/ OK
> /^abuse\@/ OK
> /^nobody\@/ REJECT
>

> After i create file i do:
> postmap hash:/etc/postfix/recipient_checks.pcre
>

> and postfix reload / restart (few times)
>

> and i still can send email from yahoo to nobody on my server. Also i see
> that spam ip-s that is blocked on bl.spamcop.net for example still can
> send me email. That rule reject_rbl_client bl.spamcop.net does not block
> them. Any one can help and tell me where is my mistake ?
>
>

> --
> Regards,
> Condor
>

--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
ralf.hil...@charite.de | http://www.charite.de

[Ralf Hildebrandt]

* Condor <con...@stz-bg.com>:

>
> Hello,
> i have postfix 2.7.2 and i have problem with restrictions. I setup
> smtpd_recipient_restrictions here is my main.cf config file:
>

> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,

> check_helo_access hash:/etc/postfix/helo_checks,
> check_sender_access hash:/etc/postfix/helo_checks,
> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,

> reject_unauth_destination,

...

> That file pcre:/etc/postfix/recipient_checks.pcre contain:
> /^\@/ 550 Invalid address format.
> /[!%\@].*\@/ 550 This server disallows weird address syntax.
> /^postmaster\@/ OK
> /^hostmaster\@/ OK
> /^abuse\@/ OK
> /^nobody\@/ REJECT

This is an open relay that allows relaying to
postmaster, hostmaster, abuse at any domain.

Admittedly that's not a lot of recipients, but still!

[Condor]

> On 1/22/2011 9:04 AM, Condor wrote:
>>
>>> On 1/22/2011 1:20 AM, Condor wrote:
>>>>
>>>>> On 1/21/2011 5:08 PM, Condor wrote:
>>>>>>

>>>>>> Hello,
>>>>>> i have postfix 2.7.2 and i have problem with restrictions. I setup
>>>>>> smtpd_recipient_restrictions here is my main.cf config file:
>>
>>

Postconf -n
alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
message_size_limit = 30720000

myhostname = mail.stzbg.com

mynetworks = 46.40.123.212/32 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
proxy_read_maps = $local_recipient_maps $mydestionation
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_invalid_helo_hostname, reject_unknown_helo_hostname,
reject_non_fqdn_helo_hostname, permit

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination, check_helo_access

hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/helo_checks, check_recipient_access

pcre:/etc/postfix/recipient_checks.pcre, reject_invalid_hostname,
reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unlisted_sender,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client
b.barracudacentral.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dyna.spamrats.com, reject_rbl_client bl.spamcop.net,

reject_rbl_client zen.spamhaus.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org, reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client db.wpbl.info, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot

smtpd_tls_CAfile = /etc/postfix/ssl/mail.stzbg.com.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.stzbg.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.stzbg.com.key

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:1005
virtual_mailbox_base = /var/spool/postmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:1004

master.cf

smtp inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_proxy_filter=127.0.0.1:10021
-o smtpd_client_connection_count_limit=10
-o content_filter=dksign:[127.0.0.1]:10027
-o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u ${recipient} -e
/usr/local/libexec/dovecot/deliver -d ${recipient}

pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
-o local_header_rewrite_clients=

127.0.0.1:10030 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

dksign unix - - n - 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

--
Regards,
Condor

[Noel Jones]

The above settings override your settings in main.cf.

[Condor]

>>
>> master.cf
>>
>> smtp inet n - n - - smtpd
>> -o smtpd_etrn_restrictions=reject
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_proxy_filter=127.0.0.1:10021
>> -o smtpd_client_connection_count_limit=10
>> -o content_filter=dksign:[127.0.0.1]:10027
>> -o
>> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
>> dovecot unix - n n - - pipe
>> flags=DRhu user=vmail:vmail argv=/usr/bin/spamc -u ${recipient} -e
>> /usr/local/libexec/dovecot/deliver -d ${recipient}
>>
>
>
> The above settings override your settings in main.cf.
>

Any advice ? Do is safe i to remove that line from master.cf file
smtpd_recipient_restrictions ? Did my mail server will be safe if i remove
that line or i need to clone line from main.cf file. Well i tell you, i
migrate from qmail before a few days and i does not have much experience
with postfix.

--
Regards,
Condor

[Noel Jones]

Normally the "-o smtpd_*_restrictions..." settings would be
removed from master.cf, and it looks as if you can safely
remove the smtpd_*_restrictions settings and leave the others.

Usually only specific overrides that are only for a single
port or service are put in master.cf, and as a general rule
it's best to keep those overrides to a minimum (because it can
make postfix behavior more confusing).

-- Noel Jones

[Condor]

Thank you. I remove that line and now everything is worked.

--
Regards,
Condor