postfix recipient_access list

t.berthel at gmx.net t.berthel at gmx.net
Mi Aug 16 12:49:13 CEST 2017


Hallo, 

nochmals Danke für eure Tipps, jedoch funktioniert es irgendwie nicht so wie ich es will. Folgendes habe ich geändert:

# Content checks lists and Transport Lists
alias_maps           = hash:/etc/postfix/aliases
alias_database       = hash:/etc/postfix/aliases
virtual_alias_maps   = hash:/etc/postfix/virtual
transport_maps       = hash:/etc/postfix/transport
relay_recipient_maps = hash:/etc/postfix/relay_recipients < - Hier die neue Regel hinterlegt
body_checks          = pcre:/etc/postfix/body_checks.pcre
header_checks        = pcre:/etc/postfix/header_checks.pcre
mime_header_checks   = pcre:/etc/postfix/mime_header_checks.pcre
....
....
smtpd_recipient_restrictions =
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unlisted_recipient, < - Hier die neue Regel hinterlegt
    permit_mynetworks,
    permit

In der Liste relay_recipients habe ich ein paar Empfänger hinzugefügt und eine Adresse weg gelassen, jedoch wurde diese auch nach einem "postmap relay_recipients" & "postfix reload" dennoch durchgelassen.
Verstehe ich jetzt so nicht ganz.

Hier mal meine postconf (interne Inhalte wurde abgeändert):

  queue_directory = /var/spool/postfix
  command_directory = /usr/sbin
  daemon_directory = /usr/lib/postfix
  manpage_directory = /usr/share/man
  sample_directory = /etc/postfix
  html_directory = no
  readme_directory = no
  sendmail_path = /usr/sbin/sendmail
  newaliases_path = /usr/bin/newaliases
  mailq_path = /usr/bin/mailq
  mail_owner = postfix
  setgid_group = postdrop
  inet_interfaces = all
  #
  # Edit own Maildomain and Mailhost
  mynetworks_style    = host
  mynetworks          = 127.0.0.0/8, 192.YYY.YYY.YYY/32
  myhostname          = MY-HOST.DOMAIN.DE
  relay_domains       = MY.DOMAIN.DE
  mydomain            = MY.DOMAIN.DE
  myorigin            = $mydomain
  #
  # Content checks lists and Transport Lists
  alias_maps           = hash:/etc/postfix/aliases
  alias_database       = hash:/etc/postfix/aliases
  virtual_alias_maps   = hash:/etc/postfix/virtual
  transport_maps       = hash:/etc/postfix/transport
  relay_recipient_maps = hash:/etc/postfix/relay_recipients
  body_checks          = pcre:/etc/postfix/body_checks.pcre
  header_checks        = pcre:/etc/postfix/header_checks.pcre
  mime_header_checks   = pcre:/etc/postfix/mime_header_checks.pcre
  #smtpd_command_filter = pcre:/etc/postfix/command_filter
  bounce_template_file = /etc/postfix/bounce.cf
  smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/esmtp_access
  smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  #
  #SASL config
  smtpd_sasl_auth_enable = no
  #Auth type cyrus or dovecot
  smtpd_sasl_type = cyrus
  smtpd_sasl_security_options = noanonymous ,noplaintext
  smtpd_sasl_tls_security_options = noanonymous
  smtpd_sasl_local_domain = $mydomain
  smtpd_sasl_path = smtpd
  #
  #smtpd_sasl_path = /var/run/saslauthd/mux
  broken_sasl_auth_clients = no
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  #
  # DNS support level: disabled / enabled / dnssec
  smtp_dns_support_level= dnssec
  # 
  # Max Mailsize 200MB
  message_size_limit = 209715200
  #
  # Postfix Commom Settings
  mydestination = MY.EXCHANGE.LOCAL, MY.DOMAIN.DE
  local_recipient_maps =
  local_transport = error:local mail delivery is disabled
  mailbox_size_limit = 0
  append_dot_mydomain = no
  strict_rfc821_envelopes = yes
  recipient_delimiter = +
  smtpd_helo_required = yes
  smtpd_delay_reject = yes
  smtp_mail_timeout = 60s
  smtp_helo_timeout = 10s
  smtp_rcpt_timeout = 60s
  smtp_rset_timeout = 10s
  smtp_data_xfer_timeout = 60s
  smtp_data_done_timeout = 300s
  smtp_quit_timeout = 60s
  soft_bounce = no
  biff = no
  smtpd_banner = $myhostname ESMTP $mail_name
  default_rbl_reply = $rbl_code RBLTRAP: $client blocked using $rbl_domain Reason: $rbl_reason 
  unverified_recipient_reject_reason = Recipient address lookup failed
  inet_protocols = ipv4
  bounce_queue_lifetime = 2h
  maximal_queue_lifetime = 4h
  delay_warning_time = 1h
  compatibility_level = 2
  smtputf8_enable = yes
  #
  # Amavisd connector
  # content_filter = amavislt:[127.0.0.1]:10024
  # smtpd-proxy-filter in master.cf is set!
  content_filter = amavislt:[127.0.0.1]:10024
  #
  # Reject codes
  access_map_reject_code = 554
  invalid_hostname_reject_code = 501
  maps_rbl_reject_code = 550
  multi_recipient_bounce_reject_code = 550
  non_fqdn_reject_code = 504
  plaintext_reject_code = 550
  reject_code = 554
  relay_domains_reject_code = 550
  unknown_address_reject_code = 550
  unknown_client_reject_code = 550
  unknown_hostname_reject_code = 550
  unknown_local_recipient_reject_code = 550
  unknown_relay_recipient_reject_code = 550
  unknown_virtual_alias_reject_code = 550
  unknown_virtual_mailbox_reject_code = 550
  unverified_recipient_reject_code = 550
  unverified_sender_reject_code = 550
  #
  # Tarpit those bots/clients/spammers who send errors or scan for accounts
  smtpd_error_sleep_time = 10
  smtpd_soft_error_limit = 1
  smtpd_hard_error_limit = 3
  smtpd_junk_command_limit = 2
  #
  # TLS Paramaters
  # tls_preempt_cipherlist enables server cipher-suite preferences
  tls_preempt_cipherlist = yes
  tls_eecdh_strong_curve = prime256v1
  tls_eecdh_ultra_curve  = secp384r1
  tls_high_cipherlist    = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!DES:!SSLv2:!MD5:!SSLV3:!3DES:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  #
  # TLS Inbound Settings
  # Security Level none / may / encrypt
  smtpd_tls_security_level = may
  smtpd_tls_loglevel = 1
  smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
  smtpd_tls_mandatory_ciphers = high
  smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
  smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
  smtpd_tls_exclude_ciphers = EXPORT,aNULL ,DES, LOW, MD5, SEED, IDEA, RC2, RC4
  smtpd_tls_received_header = yes
  smtpd_tls_ciphers = high
  smtpd_tls_eecdh_grade = ultra
  smtpd_tls_auth_only=no
  smtpd_tls_cert_file = /etc/postfix/zerti/KEY-NAME.pem
  smtpd_tls_key_file = /etc/postfix/zerti/KEY-NAME.pem
  smtpd_tls_dh2048_param_file = /etc/postfix/zerti/KEY-NAME.pem
  smtpd_tls_dh512_param_file = /etc/postfix/zerti/KEY-NAME.pem
  smtpd_starttls_timeout = 60s
  #
  # TLS Send Settings
  # Security Level none / may / encrypt / dane / dane-only / fingerprint / verify / secure
  smtp_tls_security_level = may
  smtp_tls_loglevel = 1
  smtp_tls_protocols = !SSLv2, !SSLv3
  smtp_tls_mandatory_ciphers  = high
  smtp_tls_mandatory_protocols =  !SSLv2, !SSLv3
  smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
  smtp_tls_exclude_ciphers = EXPORT,aNULL, DES, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4
  smtp_tls_note_starttls_offer = yes
  smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
  smtp_starttls_timeout = 60s
  smtp_tls_cert_file = /etc/postfix/zerti/KEY-NAME.pem
  smtp_tls_key_file = /etc/postfix/zerti/KEY-NAME.pem
  #
  # LMTP Settings
  lmtp_tls_protocols = !SSLv2, !SSLv3
  lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
  #
  # Transport Restictions
  smtpd_client_restrictions = 
   permit_mynetworks,
   reject_invalid_hostname,
   check_client_access hash:/etc/postfix/smtpd_access,
   check_client_access hash:/etc/postfix/sld_access,
   check_client_access hash:/etc/postfix/tld_access,
   check_client_access hash:/etc/postfix/tld_new_access,
   regexp:/etc/postfix/ptr.cf,
   reject_unknown_client_hostname,
   #reject_unknown_reverse_client_hostname,
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   reject_rbl_client dnsbl.inps.de,
   reject_multi_recipient_bounce,
   sleep 1,
   reject_unauth_pipelining, 
   permit
  #
  smtpd_helo_restrictions =
   reject_unauth_pipelining,
   check_helo_access hash:/etc/postfix/helo_access,
   reject_unknown_helo_hostname,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   permit_mynetworks,
   check_helo_access hash:/etc/postfix/sld_access,
   check_helo_access hash:/etc/postfix/tld_access,
   regexp:/etc/postfix/helo.cf,
   permit
  #
  smtpd_sender_restrictions =
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   permit_mynetworks,
   check_sender_access hash:/etc/postfix/sender_access,
   check_sender_access hash:/etc/postfix/sld_access,
   check_sender_access hash:/etc/postfix/tld_access,
   #check_sender_access hash:/etc/postfix/tld_new_access,
   # activate sender address verification (care, blocks autoresponder and other addresses)
   # add the needed addresses to the whitelist (sender_access)
   #reject_unverified_sender,
   permit
  #
  smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unlisted_recipient,
   check_recipient_access hash:/etc/postfix/recipient_access,
   permit_mynetworks,
   permit
  #
  smtpd_data_restrictions = 
   reject_unauth_pipelining,
   reject_multi_recipient_bounce,
   permit



Mehr Informationen über die Mailingliste Postfixbuch-users