postfix recipient_access list
t.berthel at gmx.net
t.berthel at gmx.net
Mi Aug 16 12:49:13 CEST 2017
Hallo,
nochmals Danke für eure Tipps, jedoch funktioniert es irgendwie nicht so wie ich es will. Folgendes habe ich geändert:
# Content checks lists and Transport Lists
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_recipient_maps = hash:/etc/postfix/relay_recipients < - Hier die neue Regel hinterlegt
body_checks = pcre:/etc/postfix/body_checks.pcre
header_checks = pcre:/etc/postfix/header_checks.pcre
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
....
....
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient, < - Hier die neue Regel hinterlegt
permit_mynetworks,
permit
In der Liste relay_recipients habe ich ein paar Empfänger hinzugefügt und eine Adresse weg gelassen, jedoch wurde diese auch nach einem "postmap relay_recipients" & "postfix reload" dennoch durchgelassen.
Verstehe ich jetzt so nicht ganz.
Hier mal meine postconf (interne Inhalte wurde abgeändert):
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
html_directory = no
readme_directory = no
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
mail_owner = postfix
setgid_group = postdrop
inet_interfaces = all
#
# Edit own Maildomain and Mailhost
mynetworks_style = host
mynetworks = 127.0.0.0/8, 192.YYY.YYY.YYY/32
myhostname = MY-HOST.DOMAIN.DE
relay_domains = MY.DOMAIN.DE
mydomain = MY.DOMAIN.DE
myorigin = $mydomain
#
# Content checks lists and Transport Lists
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport
relay_recipient_maps = hash:/etc/postfix/relay_recipients
body_checks = pcre:/etc/postfix/body_checks.pcre
header_checks = pcre:/etc/postfix/header_checks.pcre
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
#smtpd_command_filter = pcre:/etc/postfix/command_filter
bounce_template_file = /etc/postfix/bounce.cf
smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#
#SASL config
smtpd_sasl_auth_enable = no
#Auth type cyrus or dovecot
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous ,noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
#
#smtpd_sasl_path = /var/run/saslauthd/mux
broken_sasl_auth_clients = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#
# DNS support level: disabled / enabled / dnssec
smtp_dns_support_level= dnssec
#
# Max Mailsize 200MB
message_size_limit = 209715200
#
# Postfix Commom Settings
mydestination = MY.EXCHANGE.LOCAL, MY.DOMAIN.DE
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mailbox_size_limit = 0
append_dot_mydomain = no
strict_rfc821_envelopes = yes
recipient_delimiter = +
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtp_mail_timeout = 60s
smtp_helo_timeout = 10s
smtp_rcpt_timeout = 60s
smtp_rset_timeout = 10s
smtp_data_xfer_timeout = 60s
smtp_data_done_timeout = 300s
smtp_quit_timeout = 60s
soft_bounce = no
biff = no
smtpd_banner = $myhostname ESMTP $mail_name
default_rbl_reply = $rbl_code RBLTRAP: $client blocked using $rbl_domain Reason: $rbl_reason
unverified_recipient_reject_reason = Recipient address lookup failed
inet_protocols = ipv4
bounce_queue_lifetime = 2h
maximal_queue_lifetime = 4h
delay_warning_time = 1h
compatibility_level = 2
smtputf8_enable = yes
#
# Amavisd connector
# content_filter = amavislt:[127.0.0.1]:10024
# smtpd-proxy-filter in master.cf is set!
content_filter = amavislt:[127.0.0.1]:10024
#
# Reject codes
access_map_reject_code = 554
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 550
multi_recipient_bounce_reject_code = 550
non_fqdn_reject_code = 504
plaintext_reject_code = 550
reject_code = 554
relay_domains_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
#
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2
#
# TLS Paramaters
# tls_preempt_cipherlist enables server cipher-suite preferences
tls_preempt_cipherlist = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#
# TLS Inbound Settings
# Security Level none / may / encrypt
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_exclude_ciphers = EXPORT,aNULL ,DES, LOW, MD5, SEED, IDEA, RC2, RC4
smtpd_tls_received_header = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = ultra
smtpd_tls_auth_only=no
smtpd_tls_cert_file = /etc/postfix/zerti/KEY-NAME.pem
smtpd_tls_key_file = /etc/postfix/zerti/KEY-NAME.pem
smtpd_tls_dh2048_param_file = /etc/postfix/zerti/KEY-NAME.pem
smtpd_tls_dh512_param_file = /etc/postfix/zerti/KEY-NAME.pem
smtpd_starttls_timeout = 60s
#
# TLS Send Settings
# Security Level none / may / encrypt / dane / dane-only / fingerprint / verify / secure
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_exclude_ciphers = EXPORT,aNULL, DES, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4
smtp_tls_note_starttls_offer = yes
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_starttls_timeout = 60s
smtp_tls_cert_file = /etc/postfix/zerti/KEY-NAME.pem
smtp_tls_key_file = /etc/postfix/zerti/KEY-NAME.pem
#
# LMTP Settings
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
#
# Transport Restictions
smtpd_client_restrictions =
permit_mynetworks,
reject_invalid_hostname,
check_client_access hash:/etc/postfix/smtpd_access,
check_client_access hash:/etc/postfix/sld_access,
check_client_access hash:/etc/postfix/tld_access,
check_client_access hash:/etc/postfix/tld_new_access,
regexp:/etc/postfix/ptr.cf,
reject_unknown_client_hostname,
#reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client dnsbl.inps.de,
reject_multi_recipient_bounce,
sleep 1,
reject_unauth_pipelining,
permit
#
smtpd_helo_restrictions =
reject_unauth_pipelining,
check_helo_access hash:/etc/postfix/helo_access,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit_mynetworks,
check_helo_access hash:/etc/postfix/sld_access,
check_helo_access hash:/etc/postfix/tld_access,
regexp:/etc/postfix/helo.cf,
permit
#
smtpd_sender_restrictions =
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
check_sender_access hash:/etc/postfix/sender_access,
check_sender_access hash:/etc/postfix/sld_access,
check_sender_access hash:/etc/postfix/tld_access,
#check_sender_access hash:/etc/postfix/tld_new_access,
# activate sender address verification (care, blocks autoresponder and other addresses)
# add the needed addresses to the whitelist (sender_access)
#reject_unverified_sender,
permit
#
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
check_recipient_access hash:/etc/postfix/recipient_access,
permit_mynetworks,
permit
#
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit
Mehr Informationen über die Mailingliste Postfixbuch-users