aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-03-07 12:04:38 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 11:35:08 +0800
commit6a7dba0f8d6790a0ad51656cc1a6d5f992c8d79b (patch)
treeb2b3a876f921794204f55720391f0a1638ef4301
parent74f8113d8f492c212077cfecb1de11bdde240742 (diff)
downloadansible-dfly-vps-6a7dba0f8d6790a0ad51656cc1a6d5f992c8d79b.tar.bz2
mail/postfix: merge $smtpd_sender_restrictions into $smtpd_recipient_restrictions
-rw-r--r--roles/mail/templates/postfix/main.cf.j265
1 files changed, 25 insertions, 40 deletions
diff --git a/roles/mail/templates/postfix/main.cf.j2 b/roles/mail/templates/postfix/main.cf.j2
index ea0f9ec..bde0fba 100644
--- a/roles/mail/templates/postfix/main.cf.j2
+++ b/roles/mail/templates/postfix/main.cf.j2
@@ -19,7 +19,7 @@
#
#
# Aaron LI
-# 2017-04-15
+# Created: 2017-04-15
#
{% set mydomain = mail.domains[0] %}
@@ -428,30 +428,7 @@ smtpd_relay_restrictions =
permit_sasl_authenticated,
reject_unauth_destination
-# WARNING: Recipient address verficiation may cause an increased load
-# on down-stream servers in the case of a dictionary attack
-# or a flood of backscatter bounces.
-#
-smtpd_recipient_restrictions =
- reject_unknown_reverse_client_hostname,
- warn_if_reject reject_unknown_client_hostname,
- reject_non_fqdn_recipient,
- reject_unknown_sender_domain,
- reject_unknown_recipient_domain,
- permit_mynetworks,
- permit_sasl_authenticated,
- reject_invalid_hostname,
- reject_non_fqdn_sender
-
-# Block clients that speak too early.
-# Reject the request when the client sends SMTP commands ahead of
-# time where it is not allowed, or when the client sends SMTP commands
-# ahead of time without knowing that Postfix actually supports ESMTP
-# command pipelining.
-#
-smtpd_data_restrictions = reject_unauth_pipelining
-
-# Envelope sender address control
+# Recipient and sender addresses control
#
# * reject_unknown_sender_domain:
# Reject the request when Postfix is not the final destination
@@ -469,11 +446,30 @@ smtpd_data_restrictions = reject_unauth_pipelining
# owner for the "MAIL FROM" address, but the client is not (SASL)
# logged in as that address' owner (i.e., unauthenticated).
#
-# WARNING: Sender address verficiation may cause your server to be
-# blacklisted by some providers, due to the possibly frequent
-# address probe (try to connect but cancel mail delivery).
+# WARNING: Recipient and sender address verification may cause your
+# server to be blacklisted by some providers, due to the
+# possibly frequent address probe (try to connect but cancel
+# mail delivery). This also increases system load, which may
+# be a problem in the case of a dictionary attack or a flood
+# of backscatter bounces.
#
-smtpd_sender_restrictions = reject_unknown_sender_domain
+# Credit: https://serverfault.com/a/540614/387898
+#
+smtpd_recipient_restrictions =
+ reject_unknown_reverse_client_hostname,
+ warn_if_reject reject_unknown_client_hostname,
+ reject_non_fqdn_sender,
+ reject_unknown_sender_domain,
+ reject_non_fqdn_recipient,
+ reject_unknown_recipient_domain
+
+# Block clients that speak too early.
+# Reject the request when the client sends SMTP commands ahead of
+# time where it is not allowed, or when the client sends SMTP commands
+# ahead of time without knowing that Postfix actually supports ESMTP
+# command pipelining.
+#
+smtpd_data_restrictions = reject_unauth_pipelining
# A lookup table maps between the SASL login names that own the sender
# (MAIL FROM) addresses.
@@ -485,17 +481,6 @@ smtpd_sender_restrictions = reject_unknown_sender_domain
#
smtpd_sender_login_maps = pcre:$config_directory/login-maps.pcre
-# Use permanet 550 errors for rejections, to stop retries.
-# Tell Postfix to reject messages that match the rejection criteria
-# with a 550 error, which should tell the remote server that its
-# message wasn't delivered and it shouldn't try to send it again
-# (as opposed to the default 450 error, which implies that the
-# remote server should retry sending).
-#
-#unknown_address_reject_code = 550
-#unknown_client_reject_code = 550
-#unknown_hostname_reject_code = 550
-
##
## SMTP server TLS settings