postfix: Updating and improving configuration. This should cut off about 75% typical spamload before it enters the system.

author: ccsmart <ccsmart@smartpal.de> 2007-01-16 21:30:07 +0000
committer: ccsmart <ccsmart@smartpal.de> 2007-01-16 21:30:07 +0000
commit: 3ece40d97404fee166524620420ae2f051b384d2 (patch)
tree: 2cc9c407f646889807144ecf09ed00ef34a59780 /packages/postfix/files
parent: ccbc3685b5baf90cd59e5eefeccbee784b9967ee (diff)
3 files changed, 80 insertions, 15 deletions
diff --git a/packages/postfix/files/internal_recipient b/packages/postfix/files/internal_recipient
new file mode 100644
index 0000000000..0d11944beb
--- /dev/null
+++ b/packages/postfix/files/internal_recipient
@@ -0,0 +1,2 @@
+root@   permit_mynetworks,reject
+
diff --git a/packages/postfix/files/main.cf_2.0 b/packages/postfix/files/main.cf_2.0
index 002f681217..1a6ddabbf3 100644
--- a/packages/postfix/files/main.cf_2.0
+++ b/packages/postfix/files/main.cf_2.0
@@ -2,6 +2,7 @@
 cat <<EOF
 # Configure your domain and accounts
 mydomain=sample.com
+mynetworks = 127.0.0.1/32 192.168.1.0/24
 
 virtual_mailbox_domains = sample.com, other.net
 virtual_mailbox_maps = hash:/etc/postfix/virtual
@@ -35,4 +36,66 @@ debug_peer_level = 2
 sendmail_path = /usr/sbin/sendmail
 newaliases_path = /usr/bin/newaliases
 mailq_path = /usr/bin/mailq
+
+smtpd_data_restrictions =
+        permit_mynetworks,
+        reject_unauth_pipelining,
+        permit
+
+smtpd_client_restrictions =
+        permit_mynetworks,
+        # reject_unknown_client, # This can cause a lot of false rejects.
+        reject_invalid_hostname,
+        reject_rbl_client list.dsbl.org,
+        reject_rbl_client sbl.spamhaus.org,
+        reject_rbl_client cbl.abuseat.org,
+        reject_rbl_client dul.dnsbl.sorbs.net,
+        permit
+
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+        permit_mynetworks,
+        reject_unauth_pipelining,
+        # reject_non_fqdn_hostname, # This can cause a lot of false rejects.
+        # reject_unknown_hostname, # This can cause a lot of false rejects.
+        reject_invalid_hostname,
+        permit
+
+smtpd_sender_restrictions =
+        permit_mynetworks,
+        reject_non_fqdn_sender,
+        # check_sender_access hash:/etc/postfix/access_domains,
+        reject_unknown_sender_domain,
+        permit
+
+smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unauth_destination,
+
+        # check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
+        # check_helo_access pcre:/etc/postfix/helo_checks.pcre,
+
+        # check_client_access hash:/etc/postfix/maps/access_client,
+        # check_client_access hash:/etc/postfix/maps/exceptions_client,
+        # check_helo_access hash:/etc/postfix/maps/access_helo,
+        # check_helo_access hash:/etc/postfix/maps/verify_helo,
+        # check_sender_access hash:/etc/postfix/maps/access_sender,
+        # check_sender_access hash:/etc/postfix/maps/verify_sender,
+        # check_recipient_access hash:/etc/postfix/maps/access_recipient,
+
+        # reject_multi_recipient_bounce,
+        reject_non_fqdn_recipient,
+        reject_unknown_recipient_domain,
+        # reject_unlisted_recipient,
+        #check_policy_service unix:private/policy,
+
+        # check_sender_access hash:/etc/postfix/maps/no_verify_sender,
+        # check_sender_access hash:/etc/postfix/access_domains,
+        # reject_unverified_sender,
+        # reject_unverified_recipient
+        check_recipient_access hash:/etc/postfix/internal_recipient
+
+disable_vrfy_command = yes
+
 EOF
diff --git a/packages/postfix/files/volatiles b/packages/postfix/files/volatiles
index cb111cd4c0..bc330c99bd 100644
--- a/packages/postfix/files/volatiles
+++ b/packages/postfix/files/volatiles
@@ -1,15 +1,15 @@
-d postfix nogroup 2755 /var/spool/mail
-d root postfix 0755 /var/spool/postfix
-d postfix root 0700 /var/spool/postfix/active
-d postfix root 0700 /var/spool/postfix/bounce
-d postfix root 0700 /var/spool/postfix/corrupt
-d postfix root 0700 /var/spool/postfix/defer
-d postfix root 0700 /var/spool/postfix/deferred
-d postfix root 0700 /var/spool/postfix/flush
-d postfix root 0700 /var/spool/postfix/hold
-d postfix root 0700 /var/spool/postfix/incoming
-d postfix postdrop 0730 /var/spool/postfix/maildrop
-d root root 0755 /var/spool/postfix/pid
-d postfix root 0700 /var/spool/postfix/private
-d postfix postdrop 0710 /var/spool/postfix/public
-d root root 0755 /var/spool/vmail
+d postfix nogroup 2755 /var/spool/mail none
+d root postfix 0755 /var/spool/postfix none
+d postfix root 0700 /var/spool/postfix/active none
+d postfix root 0700 /var/spool/postfix/bounce none
+d postfix root 0700 /var/spool/postfix/corrupt none
+d postfix root 0700 /var/spool/postfix/defer none
+d postfix root 0700 /var/spool/postfix/deferred none
+d postfix root 0700 /var/spool/postfix/flush none
+d postfix root 0700 /var/spool/postfix/hold none
+d postfix root 0700 /var/spool/postfix/incoming none
+d postfix postdrop 0730 /var/spool/postfix/maildrop none
+d root root 0755 /var/spool/postfix/pid none
+d postfix root 0700 /var/spool/postfix/private none
+d postfix postdrop 0710 /var/spool/postfix/public none
+d root root 0755 /var/spool/vmail none
author	ccsmart <ccsmart@smartpal.de>	2007-01-16 21:30:07 +0000
committer	ccsmart <ccsmart@smartpal.de>	2007-01-16 21:30:07 +0000
commit	3ece40d97404fee166524620420ae2f051b384d2 (patch)
tree	2cc9c407f646889807144ecf09ed00ef34a59780 /packages/postfix/files
parent	ccbc3685b5baf90cd59e5eefeccbee784b9967ee (diff)