Project InfoSponsor & PartnerInstalling ispCPFAQDocumentationDevelopment
Current time: 05-04-2024, 05:38 AM Hello There, Guest! (LoginRegister)

ispCP - Board - Support / ispCP Omega Development Area / General discussion v / SMTPD_*_RESTRICTIONS

Post Reply 
SMTPD_*_RESTRICTIONS
Author Message
rbtux Offline
Moderator
*****
Moderators

Posts: 1,847
Joined: Feb 2007
Reputation: 33
Post: #1
SMTPD_*_RESTRICTIONS
Hi there

there seems to be a bigger problem with the understanding of smtpd_x_restrictions. I thought I'll explain them here a bit further:

smtpd_client_restrictions:
With these restrictions it's possible to permit/reject connections based on information available after connect from client. You can filter:
- hostnames
- ip-adresses

smtpd_helo_restrictions:
With these restrictions it's possible to permit/reject connections based on information available after the client sent HELO/EHLO. You can filter:
- hostnames
- ip-adresses
- Helo

smtpd_sender_restrictions
With these restrictions it's possible to permit/reject connections based on information available after the client sent Mail from:. You can filter:
- hostnames
- ip-adresses
- Helo
- Sender E-Mail address

smtpd_recipient_restrictions:
With these restrictions it's possible to permit/reject connections based on information available after the client sent rcpt from:. You can filter:
- hostnames
- ip-adresses
- Helo
- Sender E-Mail address
- recipient address

smtpd_data_restrictions:
With these restrictions it's possible to permit/reject connections based on information available after the client sent data:. You can filter:
- hostnames
- ip-adresses
- Helo
- Sender E-Mail address
- recipient address
- pipelining


When we now want to save our postfix against the bad guys we could do this configuration:

Quote:smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname

smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service...

smtpd_data_restrictions =
reject_multi_recipient_bounce,
reject_unauth_pipelining

The above configuration is identical (in result) with the following shorter one:

Quote:smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_destination,
check_policy_service...

smtpd_data_restrictions =
reject_multi_recipient_bounce,
reject_unauth_pipelining

The advantage is: You have the specify permits only in one section. Thats important when you begin using own black/whitellist (check_*_access). That makes it a lot easier to debug a problem within your configuration.

The (very small) disadvantage is: There is some more traffic (1 - 2 kb) for each mail you block. When you got a mailservice which is delivering more than 100000 mails a day you may want to use the first configuration.


I hope that increases the understanding of postfix smtpd_*_restrictions a bit...
(This post was last modified: 11-10-2007 10:12 PM by rbtux.)
11-10-2007 10:05 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
SMTPD_*_RESTRICTIONS - rbtux - 11-10-2007 10:05 PM
RE: SMTPD_*_RESTRICTIONS - BeNe - 11-10-2007, 10:25 PM
RE: SMTPD_*_RESTRICTIONS - joximu - 11-10-2007, 10:29 PM
RE: SMTPD_*_RESTRICTIONS - rbtux - 11-10-2007, 11:10 PM
RE: SMTPD_*_RESTRICTIONS - Breaki - 11-10-2007, 10:34 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | isp Control Panel ( ispCP ) | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication