[[postfix]]
Trace: firefox postfix
Show pagesource
AdminRecent ChangesSitemap

This is an old revision of the document!

Postfix

TODO

  • berljivost clanka
  • vrstni red
  • razlicni scenariji
  • cyrus
  • sender_mx_access
  • rshbl check
  • sender/recipient verification
  • multiple <> bounces
  • permit_backup_mx_network
  • append_at_myorigin = yes
  • append_dot_mydomain = yes
  • pcre
  • IGNORE deletes lines in headers(?)

unverified_recipient_reject_code = 550 

unverified_sender_reject_code = 550

Cool :) postifx hacks

here are some tips ..

Hide internal address

See this page 

header_checks = regexp:/etc/postfix/header_checks

in that file you put 

# Header checks file
#    /^Subject: Internet Sic Codes/  REJECT
#    /^Subject: ADV /
/^received: / IGNORE
/^X-Sender: / IGNORE

Still looking for a better way?!

LMTP and over-quota

Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.

Unsorted stuff

owner_request_special = no
show_user_unknown_table_name = no
#       reject_rhsbl_client
        reject_rhsbl_sender    dsn.rfc-ignorant.org

=== 

smtpd_error_sleep_time

Time to wait in seconds before sending a 4xx or 5xx server error response. 

smtpd_soft_error_limit

When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request. 

smtpd_hard_error_limit

Disconnect after a client has made this number of errors. 

smtpd_junk_command_limit

Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. ===

Also read this: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ Quota with postfix/maildir Postfix+Courier-IMAP+MySQL for multiple domains HOWTO

#postfix on ircnet

for testing purposes i need a complete catch-all setup that reroutes all incoming mails to /dev/null tail .. master.cf: devnull unix - n n - - pipe flags=R user=nobody argv=/usr/local/bin/devnull where bin/devnull is something like #!/bin/sh cat > /dev/null then set local_transport to devnull

How to change sender/recipient/both: 

canonical_maps = hash:/etc/postfix/canonical_maps
recipient_canonical_maps =
sender_canonical_maps = hash:/etc/postfix/sender_maps
/etc/postfix/canonical_maps
@thisisfakedomain.foo  makeitreal.com
/etc/postfix/sender_maps
# this server is sending, but not receiving e-mail
# so we reroute the error msgs to the postmaster :]
eVecer@[195.246.18.38]  postmaster@slon.net

How to get all the e-mail that got from/to this server always_bcc = root

smtpd_delay_reject delays all rejects to the RCPT TO: phase. It turned out that many clients won't accept a REJECT after the (HELO|MAIL FROM:connect) and would return every second.

/etc/postfix/main.cf: 

alias_maps = hash:/etc/aliases
alias_database = $alias_maps
smtpd_banner = $myhostname ESMTP http://www.rfc.net/rfc2821.html
mail_name = smtpd
# what kind of errors should postmaster receive
# notify_classes = resource,software,protocol,policy,delay,2bounce
# default is:  notify_classes = resource,software
# postfix tries to get hostname from the system, but it usually failes, because the hostname
# is not FQDN
myhostname = host.domain.org
# default is:
# myorigin = $myhostname
# mydomain = domain part of $myhostname
# what domains are LOCAL to this server
# DO NOT list virtual domains here!
# Use virtual_maps for virtual domains
mydestination = $myhostname, localhost.$mydomain
#address_verify_map
#owner_request_special = no
# for Mailman Mailing-list
# virtual domains
virtual_maps = hash:/etc/postfix/virtual
# Reject unknown local/virtual recipients at the SMTP port.
# proxy (v2.x) local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_maps
local_recipient_maps = unix:passwd.byname $alias_maps $virtual_maps
mynetworks = 127.0.0.0/8 192.168.0.0/24 10.3.74.0/24
mynetworks_style = host
mailbox_size_limit = 0
recipient_delimiter = +
# Maildir format
# if you use Courier IMAP/POP
home_mailbox = Maildir/
#if you use maildrop
#mailbox_command = /usr/bin/maildrop
#local_destination_concurrency_limit = 1
delay_warning_time = 3h
smtpd_helo_required = yes
biff = no
disable_vrfy_command = yes
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
message_size_limit = 40960000
maps_rbl_domains =
	list.dsbl.org,
	relays.ordb.org
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
# smart-relay server
# probably smtp server of your ISP
#relayhost = [smtp.isp.com]
# smtp server to use if we get errors sending directly
#fallback_relay = [smtp.isp.com]
# use it to TEST(!) your new config
# smtp will issue 4xx (temporary error) instead of 5xx (permanent) thus allowing
# transmission later
#soft_bounce = yes
#broken PIX/cisco firewall
#smtp_always_send_ehlo = no
smtpd_client_restrictions = hash:/etc/postfix/client_access
smtpd_helo_restrictions = hash:/etc/postfix/helo_checks
smtpd_sender_restrictions =
regexp:/etc/postfix/sender_checks

smtpd_recipient_restrictions = 

reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,

#v1.x reject_maps_rbl 

reject_rbl_client relays.ordb.org
reject_rbl_client list.dsbl.org
reject_rbl_client dnsbl.sorbs.net
reject_unauth_destination

#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

# Make domain resolving errors permanent….fatal X-) #unknown_address_reject_code = 554 #unknown_client_reject_code = 554 #unknown_hostname_reject_code = 554

#### /etc/postfix/client_access # amis 212.18.32.4 OK 212.18.32.14 OK # triera 213.161.0.24 OK 213.161.0.25 OK # volja 217.72.64.59 OK 217.72.64.60 OK # softnet 212.103.128.68 OK # mojnet 212.93.226.6 OK # telemach 213.143.65.10 OK # netsi 212.72.100.100 OK # siol 193.189.160.25 OK 193.189.160.18 OK # perftech 195.246.0.20 OK 195.246.0.21 OK 195.246.0.22 OK # arnes 193.2.1.74 OK 193.2.1.75 OK # BSN-77-157-5.dsl.siol.net OK 193.77.157.5 OK # dsl.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 1000 dial-up.siol.net 554 Uporabite streznik mail.siol.net za odhodno posto! Za nadaljne informacije klicite 080 1000 dial-up.volja.net 554 Uporabite streznik smtp.volja.net za odhodno posto. Za nadaljne informacije klicite 01 5875 888 dial.netsi.net 554 Uporabite streznik smtp.netsi.net za odhodno posto! dial-up.arnes.si 554 Uporabite streznik mail.arnes.si za odhodno posto! dial-up.moj.net 554 Uporabite streznik smtp.moj.net za odhodno posto ! For further info call 01 2345860! dialup.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ! Za nadaljne informacije klicite 080 2010 adsl.amis.net 554 Uporabite streznik smtp.amis.net za odhodno posto ali si uredite 'povratni naslov' za vas IP. Za nadaljne informacije klicite 080 2010 cable.triera.net 554 Uporabite streznik smtp.triera.net za odhodno e-posto.

dsl.net 554 Use smtp.dsl.net as outgoing e-mail server!

/etc/postfix/sender_checks /@\[(10|127|0)\.|(192\.168)\./ 554 Use real IP numbers or FQDN /@\[172\.1[6-9]\./ 554 Use real IP numbers or FQDN /@\[172\.2[0-9]\./ 554 Use real IP numbers or FQDN /@\[172\.3[01]\./ 554 Use real IP numbers or FQDN

/etc/postfix/helo_checks your_fqdn_hostname_here 551 Bogus HELO

/etc/postfix/virtual virtual_domain.com whatever_that_is_not_used abuse@virtual_domain.com root postmaster@virtual_domain.com root hostmaster@virtual_domain.com root fu@virtual_domain.com other@email.com fuu@virtual_domain.com local_user

# all e-mails go into one/single mbox v_domain.org whatever_that_is_not_used @v_domain.org hegetsallmailfor@domena.org

/etc/postfix/header_checks # NIMDA /^.*boundary=\“====_ABC1234567890DEF_====\”/ REJECT /^.*boundary=\“====_ABC123456j7890DEF_====\”/ REJECT # /Subject:.*new photos from my party/ REJECT # /^Content-Type: multipart\/mixed; boundary=“—-[a-zA-Z0-9]+_Outlook_Express_message_boundary”/ 554 Infected with SirCam. # SIRCAM #/^.*_Outlook_Express_message_boundary/ REJECT # HYBRIS #/^.*boundary=“–VE/ REJECT # ALIZ #/^.*boundary=“bound”/ REJECT # SPAM #/^Subject:.*Try It BEFORE You Buy It.*/ REJECT #NextPart #/^.*boundary=”—-_=_NextPart_001.*“/ REJECT

/etc/postfix/body_checks

/^U*EsDBAoAAQAAA/ REJECT Encrypted Zip archive. /^Content-(Disposition|Type):.+file.+=”?.*\.(doc|zip|exe|xls|jpg|gif)\.(vbs|scr|pif|bat|com|exe|lnk)“?$/ REJECT /^begin [0-9]+*\.(scr|pif|exe|com|bat|shs|shb|vxd|rm|chm|vbs|ini|cmd|hta|reg|lnk|js|jse)/ REJECT /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/ reject keep your viruses with you /AAAYmX3gXPgTs1z4E7Nc\+BOzJ\+Qfs1j4/ REJECT # Win32.Klez.Worm.H /^Content-Type:.*audio\/x-midi/ REJECT /<(iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0)>/ REJECT content rejected: ${1}: virus code detected in this email

#or even more restrictive: /<(iframe src=(3D)?cid:)/ REJECT ${1}: No exploitable iframe code accepted here PCRE version of the above: /^\s*Content-(Disposition|Type).*name\s*=\s*”?(.*\.(doc|zip|exe|xls)\.(exe|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?“?\s*$/x REJECT Attachment name “$2” may not end with ”.$3“

postfix.1141710505.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
Show pagesourceOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready