This is an old revision of the document!
26.4.2004
WHATSNEW:
- new body check
TODO:
- new restrictions
- permit_backup_mx_network
append_at_myorigin = yes
append_dot_mydomain = yes
- pcre
- IGNORE deletes lines in headers(?)
- postfix V2.x
owner_request_special = no
show_user_unknown_table_name = no
# reject_rhsbl_client
reject_rhsbl_sender dsn.rfc-ignorant.org
===
smepd_error_sleep_time
Timh to wait in seconds before sending a 4xx or 5xx server error response.
smtpd_soft_error_limit
When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request.
smtpd_hard_error_limit
Disconnect after a client has made this number of errors.
smtpd_junk_command_limit
Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays.
===
=============
Also read this:
http://www.stahl.bau.tu-bs.de/~hildeb/postfix/
Quota with postfix/maildir
Postfix+Courier-IMAP+MySQL for multiple domains HOWTO
============
#postfix on ircnet
konrads> for testing purposes i need a complete catch-all setup that reroutes all incoming mails to /dev/null
weasel> 250 no problem
weasel> tail .. master.cf:
weasel> devnull unix - n n - - pipe
weasel> flags=R user=nobody argv=/usr/local/bin/devnull
weasel> where bin/devnull is something like
weasel> #!/bin/sh
weasel> cat > /dev/null
weasel> then set local_transport to devnull
==============
How to change sender/recipient/both:
canonical_maps = hash:/etc/postfix/canonical_maps
recipient_canonical_maps =
sender_canonical_maps = hash:/etc/postfix/sender_maps
/etc/postfix/canonical_maps
@thisisfakedomain.foo makeitreal.com
/etc/postfix/sender_maps
# this server is sending, but not receiving e-mail
# so we reroute the error msgs to the postmaster :]
eVecer@[195.246.18.38] postmaster@slon.net
===========
How to get all the e-mail that got from/to this server
always_bcc = root
==========
smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned
out that many clients won't accept a REJECT after the (HELO|MAIL
FROM:connect) and would return every second.
==========
/etc/postfix/main.cf:
alias_maps = hash:/etc/aliases
alias_database = $alias_maps
smtpd_banner = $myhostname ESMTP http://www.rfc.net/rfc2821.html
mail_name = smtpd
# what kind of errors should postmaster receive
# notify_classes = resource,software,protocol,policy,delay,2bounce
# default is: notify_classes = resource,software
# postfix tries to get hostname from the system, but it usually failes, because the hostname
# is not FQDN
myhostname = host.domain.org
# default is:
# myorigin = $myhostname
# mydomain = domain part of $myhostname
# what domains are LOCAL to this server
# DO NOT list virtual domains here!
# Use virtual_maps for virtual domains
mydestination = $myhostname, localhost.$mydomain
#address_verify_map
#owner_request_special = no
# for Mailman Mailing-list
# virtual domains
virtual_maps = hash:/etc/postfix/virtual
# Reject unknown local/virtual recipients at the SMTP port.
# proxy (v2.x) local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_maps
local_recipient_maps = unix:passwd.byname $alias_maps $virtual_maps
mynetworks = 127.0.0.0/8 192.168.0.0/24 10.3.74.0/24
mynetworks_style = host
mailbox_size_limit = 0
recipient_delimiter = +
# Maildir format
# if you use Courier IMAP/POP
home_mailbox = Maildir/
#if you use maildrop
#mailbox_command = /usr/bin/maildrop
#local_destination_concurrency_limit = 1
delay_warning_time = 3h
smtpd_helo_required = yes
biff = no
disable_vrfy_command = yes
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
message_size_limit = 40960000
maps_rbl_domains =
list.dsbl.org,
relays.ordb.org
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
# smart-relay server
# probably smtp server of your ISP
#relayhost = [smtp.isp.com]
# smtp server to use if we get errors sending directly
#fallback_relay = [smtp.isp.com]
# use it to TEST(!) your new config
# smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing
# transmission later
#soft_bounce = yes
#broken PIX/cisco firewall
smtp_always_send_ehlo = no
smtpd_client_restrictions = hash:/etc/postfix/client_access
smtpd_helo_restrictions = hash:/etc/postfix/helo_checks
smtpd_sender_restrictions =
regexp:/etc/postfix/sender_checks
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
#v1.x reject_maps_rbl
reject_rbl_client relays.ordb.org
reject_rbl_client list.dsbl.org
reject_rbl_client dnsbl.sorbs.net
reject_unauth_destination
#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
# Make domain resolving errors permanent….fatal X-)
#unknown_address_reject_code = 554
#unknown_client_reject_code = 554
#unknown_hostname_reject_code = 554
####
/etc/postfix/client_access
# amis
212.18.32.4 OK
212.18.32.14 OK
# triera
213.161.0.24 OK
213.161.0.25 OK
# volja
217.72.64.59 OK
217.72.64.60 OK
# softnet
212.103.128.68 OK
# mojnet
212.93.226.6 OK
# telemach
213.143.65.10 OK
# netsi
212.72.100.100 OK
# siol
193.189.160.25 OK
193.189.160.18 OK
# perftech
195.246.0.20 OK
195.246.0.21 OK
195.246.0.22 OK
# arnes
193.2.1.74 OK
193.2.1.75 OK
#
BSN-77-157-5.dsl.siol.net OK
193.77.157.5 OK
#
dsl.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000
dial-up.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000
dial-up.volja.net 554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888
dial.netsi.net 554 Uporabite streznik smtp.netsi.net za odhodno posto!
dial-up.arnes.si 554 Uporabite streznik mail.arnes.si za odhodno posto!
dial-up.moj.net 554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860!
dialup.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010
adsl.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010
dsl.net 554 Use smtp.dsl.net as outgoing e-mail server!
/etc/postfix/sender_checks
/@\[(10|127|0)\.|(192\.168)\./ 554 Use real IP numbers or FQDN
/@\[172\.1[6-9]\./ 554 Use real IP numbers or FQDN
/@\[172\.2[0-9]\./ 554 Use real IP numbers or FQDN
/@\[172\.3[01]\./ 554 Use real IP numbers or FQDN
/etc/postfix/helo_checks
your_fqdn_hostname_here 551 Bogus HELO
/etc/postfix/virtual
virtual_domain.com whatever_that_is_not_used
abuse@virtual_domain.com root
postmaster@virtual_domain.com root
hostmaster@virtual_domain.com root
fu@virtual_domain.com other@email.com
fuu@virtual_domain.com local_user
# all e-mails go into one/single mbox
v_domain.org whatever_that_is_not_used
@v_domain.org hegetsallmailfor@domena.org
/etc/postfix/header_checks
# NIMDA
/^.*boundary=\“====_ABC1234567890DEF_====\”/ REJECT
/^.*boundary=\“====_ABC123456j7890DEF_====\”/ REJECT
#
/Subject:.*new photos from my party/ REJECT
#
/^Content-Type: multipart\/mixed; boundary=“—-[a-zA-Z0-9]+_Outlook_Express_message_boundary”/ 554 Infected with SirCam.
# SIRCAM
#/^.*_Outlook_Express_message_boundary/ REJECT
# HYBRIS
#/^.*boundary=“–VE/ REJECT
# ALIZ
#/^.*boundary=“bound”/ REJECT
# SPAM
#/^Subject:.*Try It BEFORE You Buy It.*/ REJECT
#NextPart
#/^.*boundary=”—-_=_NextPart_001.*“/ REJECT
/etc/postfix/body_checks
/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+=”?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)“?$/ REJECT
/^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT
/^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you
/AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/ REJECT
# Win32.Klez.Worm.H
/^Content-Type:.*audio\/x-midi/ REJECT
/<(iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0)>/ REJECT content rejected: ${1}: virus code detected in this email
#or even more restrictive:
/<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: /^\s*Content-(Disposition|Type).*name\s*=\s*”?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?
?“?\s*$/x REJECT Attachment name “$2” may not end with ”.$3“
