[[postfix]]
Trace: postfix
Show pagesource
AdminRecent ChangesSitemap

This is an old revision of the document!

Postfix

TODO

  • berljivost clanka
  • vrstni red
  • razlicni scenariji
  • cyrus
  • sender_mx_access
  • rshbl check
  • sender/recipient verification
  • multiple <> bounces
  • permit_backup_mx_network
  • append_at_myorigin = yes
  • append_dot_mydomain = yes
  • pcre
  • IGNORE deletes lines in headers(?)

Cool :) postifx hacks

here are some tips ..

Hide internal address

See this page 

header_checks = regexp:/etc/postfix/header_checks

in that file you put 

# Header checks file
#    /^Subject: Internet Sic Codes/  REJECT
#    /^Subject: ADV /
/^received: / IGNORE
/^X-Sender: / IGNORE

Still looking for a better way?!

LMTP and over-quota

Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.

Unsorted stuff

owner_request_special = no show_user_unknown_table_name = no

# reject_rhsbl_client 

      reject_rhsbl_sender    dsn.rfc-ignorant.org

=== smepd_error_sleep_time

Timh to wait in seconds before sending a 4xx or 5xx server error response.

smtpd_soft_error_limit

When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request.

smtpd_hard_error_limit

Disconnect after a client has made this number of errors.

smtpd_junk_command_limit

Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. ===

Also read this: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ Quota with postfix/maildir Postfix+Courier-IMAP+MySQL for multiple domains HOWTO

#postfix on ircnet

konrads> for testing purposes i need a complete catch-all setup that reroutes all incoming mails to /dev/null

weasel> 250 no problem weasel> tail .. master.cf: weasel> devnull unix - n n - - pipe weasel> flags=R user=nobody argv=/usr/local/bin/devnull weasel> where bin/devnull is something like weasel> #!/bin/sh weasel> cat > /dev/null weasel> then set local_transport to devnull

How to change sender/recipient/both:

canonical_maps = hash:/etc/postfix/canonical_maps recipient_canonical_maps = sender_canonical_maps = hash:/etc/postfix/sender_maps

/etc/postfix/canonical_maps @thisisfakedomain.foo makeitreal.com

/etc/postfix/sender_maps # this server is sending, but not receiving e-mail # so we reroute the error msgs to the postmaster :] eVecer@[195.246.18.38] postmaster@slon.net

How to get all the e-mail that got from/to this server always_bcc = root

smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned out that many clients won't accept a REJECT after the (HELO|MAIL FROM:connect) and would return every second.

/etc/postfix/main.cf:

alias_maps = hash:/etc/aliases alias_database = $alias_maps

smtpd_banner = $myhostname ESMTP http://www.rfc.net/rfc2821.html mail_name = smtpd

# what kind of errors should postmaster receive # notify_classes = resource,software,protocol,policy,delay,2bounce # default is: notify_classes = resource,software

# postfix tries to get hostname from the system, but it usually failes, because the hostname # is not FQDN myhostname = host.domain.org

# default is: # myorigin = $myhostname # mydomain = domain part of $myhostname

# what domains are LOCAL to this server # DO NOT list virtual domains here! # Use virtual_maps for virtual domains mydestination = $myhostname, localhost.$mydomain

#address_verify_map

#owner_request_special = no # for Mailman Mailing-list

# virtual domains virtual_maps = hash:/etc/postfix/virtual

# Reject unknown local/virtual recipients at the SMTP port. # proxy (v2.x) local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_maps local_recipient_maps = unix:passwd.byname $alias_maps $virtual_maps

mynetworks = 127.0.0.0/8 192.168.0.0/24 10.3.74.0/24 mynetworks_style = host

mailbox_size_limit = 0 recipient_delimiter = +

# Maildir format # if you use Courier IMAP/POP home_mailbox = Maildir/

#if you use maildrop #mailbox_command = /usr/bin/maildrop #local_destination_concurrency_limit = 1

delay_warning_time = 3h

smtpd_helo_required = yes biff = no disable_vrfy_command = yes strict_rfc821_envelopes = no

transport_maps = hash:/etc/postfix/transport message_size_limit = 40960000

maps_rbl_domains = 

	list.dsbl.org,
	relays.ordb.org

body_checks = regexp:/etc/postfix/body_checks header_checks = regexp:/etc/postfix/header_checks

# smart-relay server # probably smtp server of your ISP #relayhost = [smtp.isp.com]

# smtp server to use if we get errors sending directly #fallback_relay = [smtp.isp.com]

# use it to TEST(!) your new config # smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing # transmission later #soft_bounce = yes

#broken PIX/cisco firewall smtp_always_send_ehlo = no

smtpd_client_restrictions = hash:/etc/postfix/client_access

smtpd_helo_restrictions = hash:/etc/postfix/helo_checks

smtpd_sender_restrictions = 

regexp:/etc/postfix/sender_checks

smtpd_recipient_restrictions = 

reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,

#v1.x reject_maps_rbl 

reject_rbl_client relays.ordb.org
reject_rbl_client list.dsbl.org
reject_rbl_client dnsbl.sorbs.net
reject_unauth_destination

#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

# Make domain resolving errors permanent….fatal X-) #unknown_address_reject_code = 554 #unknown_client_reject_code = 554 #unknown_hostname_reject_code = 554

#### /etc/postfix/client_access # amis 212.18.32.4 OK 212.18.32.14 OK # triera 213.161.0.24 OK 213.161.0.25 OK # volja 217.72.64.59 OK 217.72.64.60 OK # softnet 212.103.128.68 OK # mojnet 212.93.226.6 OK # telemach 213.143.65.10 OK # netsi 212.72.100.100 OK # siol 193.189.160.25 OK 193.189.160.18 OK # perftech 195.246.0.20 OK 195.246.0.21 OK 195.246.0.22 OK # arnes 193.2.1.74 OK 193.2.1.75 OK # BSN-77-157-5.dsl.siol.net OK 193.77.157.5 OK # dsl.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000 dial-up.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 dial-up.volja.net 554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 dial.netsi.net 554 Uporabite streznik smtp.netsi.net za odhodno posto! dial-up.arnes.si 554 Uporabite streznik mail.arnes.si za odhodno posto! dial-up.moj.net 554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! dialup.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 adsl.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010 cable.triera.net 554 Uporabite streznik smtp.triera.net za odhodno e-posto.

dsl.net 554 Use smtp.dsl.net as outgoing e-mail server!

/etc/postfix/sender_checks /@\[(10|127|0)\.|(192\.168)\./ 554 Use real IP numbers or FQDN /@\[172\.1[6-9]\./ 554 Use real IP numbers or FQDN /@\[172\.2[0-9]\./ 554 Use real IP numbers or FQDN /@\[172\.3[01]\./ 554 Use real IP numbers or FQDN

/etc/postfix/helo_checks your_fqdn_hostname_here 551 Bogus HELO

/etc/postfix/virtual virtual_domain.com whatever_that_is_not_used abuse@virtual_domain.com root postmaster@virtual_domain.com root hostmaster@virtual_domain.com root fu@virtual_domain.com other@email.com fuu@virtual_domain.com local_user

# all e-mails go into one/single mbox v_domain.org whatever_that_is_not_used @v_domain.org hegetsallmailfor@domena.org

/etc/postfix/header_checks # NIMDA /^.*boundary=\“====_ABC1234567890DEF_====\”/ REJECT /^.*boundary=\“====_ABC123456j7890DEF_====\”/ REJECT # /Subject:.*new photos from my party/ REJECT # /^Content-Type: multipart\/mixed; boundary=“—-[a-zA-Z0-9]+_Outlook_Express_message_boundary”/ 554 Infected with SirCam. # SIRCAM #/^.*_Outlook_Express_message_boundary/ REJECT # HYBRIS #/^.*boundary=“–VE/ REJECT # ALIZ #/^.*boundary=“bound”/ REJECT # SPAM #/^Subject:.*Try It BEFORE You Buy It.*/ REJECT #NextPart #/^.*boundary=”—-_=_NextPart_001.*“/ REJECT

/etc/postfix/body_checks

/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+=”?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)“?$/ REJECT /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you /AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/ REJECT # Win32.Klez.Worm.H /^Content-Type:.*audio\/x-midi/ REJECT /<(iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0)>/ REJECT content rejected: ${1}: virus code detected in this email

#or even more restrictive: /<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: /^\s*Content-(Disposition|Type).*name\s*=\s*”?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?“?\s*$/x REJECT Attachment name “$2” may not end with ”.$3“

postfix.1141073533.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready