restrictions einbauen
Sebastian Gödecke
simpsonetti at googlemail.com
Do Sep 26 11:31:09 CEST 2019
Hallo ML,
ich möchte unseren Postfix weiter absichern. Wir betreiben den im
Rahmen einer Schule.
Was in letzter Zeit vorgekommen ist, sind das Versenden von Mails die
wohl als spam klassifiziert werden können. Auch das unauthorisierte
Versenden soll nicht erlaubt sein.
Ich gehe davon aus, das mit den restrictions in der main.cf zu machen.
Was kann ich als Optionen noch setzen, damit das Mailen nur von
autorisierten, also kein Massenversand durch irgend wen, Personen
erfolgen kann.
Des weiteren überlege ich, den Port zum Versenden (von kollegen mit
ihren mobilen Geräten, aktuell 587) nur noch über einen high-port zu
erlauben. Von aussen wäre das über einen Portweiterleitung, von innen
muss ich in der master.cf etwas ändern. Wo muss ich da etwas ändern?
Danke für tipps.
Hier meine Configs:
postconf -n
alias_maps = hash:/etc/aliases, hash:/etc/aliases.d/oss-groups,
mysql:/etc/postfix/mysql-aliases.cf
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
defer_transports =
delay_warning_time = 6h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 50000000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost
myhostname = hostname-intern
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relay_domains = $mydestination, hash:/etc/postfix/relay
relayhost = [externer-mailserver]
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 20
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_rbl_client multi.uribl.com,reject_rbl_client
dsn.rfc-ignorant.org,reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org,reject_rbl_client
sbl-xbl.spamhaus.org,reject_rbl_client
bl.spamcop.net,reject_rbl_client dnsbl.sorbs.net,reject_rbl_client
cbl.abuseat.org,reject_rbl_client
ix.dnsbl.manitu.net,reject_rbl_client
combined.rbl.msrbl.net,reject_rbl_client rabl.nuclearelephant.com,
reject_non_fqdn_sender, reject
smtpd_recipient_limit = 50
smtpd_recipient_overshoot_limit = 50
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_rbl_client multi.uribl.com,reject_rbl_client
dsn.rfc-ignorant.org,reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org,reject_rbl_client
sbl-xbl.spamhaus.org,reject_rbl_client
bl.spamcop.net,reject_rbl_client dnsbl.sorbs.net,reject_rbl_client
cbl.abuseat.org,reject_rbl_client
ix.dnsbl.manitu.net,reject_rbl_client
combined.rbl.msrbl.net,reject_rbl_client rabl.nuclearelephant.com,
reject
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mynetworks, reject_rbl_client
multi.uribl.com,reject_rbl_client
dsn.rfc-ignorant.org,reject_rbl_client
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org,reject_rbl_client
sbl-xbl.spamhaus.org,reject_rbl_client
bl.spamcop.net,reject_rbl_client dnsbl.sorbs.net,reject_rbl_client
cbl.abuseat.org,reject_rbl_client
ix.dnsbl.manitu.net,reject_rbl_client
combined.rbl.msrbl.net,reject_rbl_client rabl.nuclearelephant.com,
reject
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/ssl/servercerts/__public_key.crt
smtpd_tls_key_file = /etc/ssl/servercerts/private.key
smtpd_tls_received_header = no
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
amavis unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_sasl_auth_enable=no
-o smtp_use_tls=no
-o smtp_tls_security_level=
-o smtp_sasl_security_options=
-o smtp_tls_wrappermode=no
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - 10 smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - 10 smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
localhost:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o relay_recipient_maps=
--
Mit freundlichen Grüßen
Sebastian Gödecke
Mehr Informationen über die Mailingliste Postfixbuch-users