########################################################################### ## Copyright (C) Wizardry and Steamworks 2012 - License: GNU GPLv3 ## ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## ## rights of fair usage, the disclaimer and warranty conditions. ## ########################################################################### # Restrictions template for Postfix >= 2.10 # ########################################################################### # The general strategy is to accept anything from authenticated clients # # except cases where MAIL FROM is set to a client other than the given # # authenticated client (in the latter case, to prevent E-Mail spoofing) # # # # The terminology "restrictions that apply AT" (instead of "apply TO") is # # used due to some restrictions proceeding others during an SMTP session. # # # # Requirements: # # - The SMTP server MUST be configured with SASL authentication # # (regardless whether through Dovecot, Cyrus SASL, etc...) # # # ###### Session Example Illustrating the Application of Restrictions. ###### # telnet 192.168.0.2 25 # # Trying 192.168.0.2... # # Connected to 192.168.0.2 (192.168.0.2). # # Escape character is '^]'. # # 220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions # # HELO mail.example.com # <-smtp_helo_restrictions # # 250 mail.example.com # # MAIL FROM: # <-smtp_sender_restrictions # # 250 2.1.0 Ok # # RCPT TO: # <-smtp_recipient_restrictions # # 250 2.1.5 Ok # # DATA # <-smtp_data_restrictions # # 354 End data with . # # To: # <-header_checks # # From: # # Subject:SMTP Test # # This is a test message # <-body_checks # # . # # 250 2.0.0 Ok: queued as 301AE20034 # # QUIT # # 221 2.0.0 Bye # # Connection closed by foreign host. # ########### https://wiki.centos.org/HowTos/postfix_restrictions ########### ########################################################################### # Restrictions that apply when a client connects. # ########################################################################### smtpd_client_restrictions = permit_mynetworks, # Any user that is authenticated may send E-Mail regardless the # connection or any restrictions that follow. permit_sasl_authenticated, # Only accept connections with proper hostname to IP (reverse) DNS. reject_unknown_client_hostname, # Major RBLs matching clients. reject_rbl_client sbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, permit ########################################################################### # Restrictions that apply at: HELO / EHLO # ########################################################################### # smtpd_helo_required makes sending HELo / EHLO mandatory for clients smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, # Any HELO / EHLO will be accepted from any authenticated client # regardless of any rules that follow. permit_sasl_authenticated, # These checks have to be performed after permitting SASL # authenticated clients since the strategy of this template is to # always accept from authenticated clients. reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, # This is disabled because a client may send an HELO / EHLO with the # hostname of the computer where the E-Mail originates and although # that hostname may be valid on the local LAN of the client, the # hostname may be an invalid hostname on the WAN. # reject_unknown_helo_hostname, # Major RBLs matching HELO / EHLO. reject_rhsbl_helo dbl.spamhaus.org, permit ########################################################################### # Restrictions that apply at: MAIL FROM # ########################################################################### smtpd_sender_restrictions = permit_mynetworks, # Any authenticated client may send E-Mail (with the next exception) permit_sasl_authenticated, # This restriction prevents the following scenario: # I am joe@mail.tld, I authenticate as joe to the mail-server at # mail.tld and set the MAIL FROM to sally@mail.tld and the server # accepts it. reject_authenticated_sender_login_mismatch, reject_non_fqdn_sender, reject_unknown_sender_domain, # Major RBLs matching sender. reject_rhsbl_sender dbl.spamhaus.org, permit ########################################################################### # Restrictions that apply before: RCPT TO # ########################################################################### # Legacy restrictions used for older Postfix versions and an possibly be # # omitted altogether since smtpd_recipient_restrictions will apply. # ########################################################################### smtpd_relay_restrictions = permit_mynetworks, # Any authenticated user may use the server as a relay. permit_sasl_authenticated, reject_unauth_destination, permit ########################################################################### # Restrictions that apply at: RCPT TO # ########################################################################### smtpd_recipient_restrictions = permit_mynetworks, # An authenticated client may send E-Mail to any destination. permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, # In case it is already known (Postfix - verify) that the # destination (recipient) of an E-Mail is unreachable, then do not # accept the E-Mail in the first place. reject_unverified_recipient, permit ########################################################################### # Restrictions that apply at: DATA (content body) # ########################################################################### smtpd_data_restrictions = permit_mynetworks, # An authenticated client may send any content body. permit_sasl_authenticated, sleep 3, reject_unauth_pipelining, permit