First page Back Continue Last page Overview Graphics
Default restrictions IV
smtpd_recipient_restrictions
- none for FJFI domain and sasl authenticated
- reject_unauth_destination (554)
- “open-relay” rule (allow only forwarded and local mails)
- reject_unknown_recipient_domain (450)
- recipient domain must exist
- reject_unverified_recipient (550)
- only if recipient is in FJFI domain
- require correct configuration of local mail servers
- check_recipient_mx_access (554)
- Reject mail with incorrect MX – otherwise they stay in queue
- check_policy_service
- ppolicy daemon – see next slides
smtpd_data_restriction – pipelining, multibounce
Notes:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/spam_recipient_access
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_unknown_recipient_domain
check_recipient_access hash:/etc/postfix/recipient_access
check_recipient_mx_access hash:/etc/postfix/mx_access
check_policy_service inet:127.0.0.1:10030
# reject_unverified_recipient # in recipient_access
# permit_tls_clientcerts # postfix 2.2
# permit_auth_destination
# check_client_access hash:/etc/mail/pop-before-smtp
# check_relay_domains
# permit_mx_backup
smtpd_data_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_pipelining
warn_if_reject reject_multi_recipient_bounce
/etc/postfix/mx_access
# IP address Verisign returns for otherwise invalid
# .com and .net domains
64.94.110.11 REJECT Verisign hijacked domain
0.0.0.0/8 REJECT Domain MX in broadcast network
10.0.0.0/8 REJECT Domain MX in RFC 1918 private network
127.0.0.0/8 REJECT Domain MX in loopback network
169.254.0.0/16 REJECT Domain MX in link local network
172.16.0.0/12 REJECT Domain MX in RFC 1918 private network
192.0.2.0/24 REJECT Domain MX in TEST-NET network
192.168.0/16 REJECT Domain MX in RFC 1918 private network
224.0.0.0/4 REJECT Domain MX in class D multicast network
240.0.0.0/5 REJECT Domain MX in class E reserved network
248.0.0.0/5 REJECT Domain MX in reserved network
/etc/postfix/recipient_access
# Do address verification for local recipients
# (don't queue mail that's recipient is invalid on final mailserver)
fjfi.cvut.cz reject_unverified_recipient
/etc/postfix/spam_recipient_access
# use postfix restriction classes to accept spam@ and nospam@ address only from local IPs