1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
|
Spam Control Configurations
Cristiano Otto Von Trompczynski
1�1.�. A�Ad�dd�dr�re�es�ss�s e�ex�xt�te�en�ns�si�io�on�ns�s
R�Re�ec�ci�ip�pi�ie�en�nt�t d�de�el�li�im�mi�it�te�er�r
The "Recipient delimiter" option specifies the separator between
user names and address extensions (user+foo). See canonical(5),
local(8), relocated(5) and virtual(5) for the effects this has
on aliases, canonical, virtual, relocated and .forward file
lookups. Basically, the software tries user+foo and
.forward+foo before trying user and .forward. This option sets
the "recipient_delimiter" postfix variable.
2�2.�. J�Ju�un�nk�k m�ma�ai�il�l c�co�on�nt�tr�ro�ol�ls�s
H�He�ea�ad�de�er�r c�ch�he�ec�ck�ks�s
The "Header checks" option restricts what may appear in message
headers. This requires that POSIX or PCRE regular expression
support is built-in. Specify "/^header-name: stuff you do not
want/ REJECT" in the pattern file. Patterns are case-insensitive
by default. Note: specify only patterns ending in REJECT.
Patterns ending in OK are mostly a waste of cycles. This option
sets the "header_checks" postfix variable.
B�Bo�od�dy�y c�ch�he�ec�ck�ks�s
The "Body checks" option specifies an optional table with
patterns that each physical non-header line is matched against
(including MIME headers inside the message body). Lines are
matched one at a time. Long lines are matched in chunks of at
most $line_length_limit characters. Patterns are matched in the
specified order, and the search stops upon the first match.
When a pattern matches, and the associated action is REJECT, the
entire message is rejected. This option sets the "body_checks"
postfix variable.
N�Ne�et�tw�wo�or�rk�ks�s
The "Networks" option specifies the list of networks that are
local to this machine. The list is used by the anti-UCE
software to distinguish local clients from strangers. See
permit_mynetworks and smtpd_recipient_restrictions in the file
sample-smtpd.cf file.
The default is a list of all networks attached to the machine:
a complete class A network (X.0.0.0/8), a complete class B
network (X.X.0.0/16), and so on. If you want stricter control,
specify a list of network/mask patterns, where the mask
specifies the number of bits in the network part of a host
address. You can also specify the absolute pathname of a pattern
file instead of listing the patterns here. This option sets the
"mynetworks" postfix variable.
3�3.�. A�Ad�dd�di�it�ti�io�on�na�al�l U�UC�CE�E c�co�on�nt�tr�ro�ol�ls�s
A�Al�ll�lo�ow�w u�un�nt�tr�ru�us�st�te�ed�d r�ro�ou�ut�ti�in�ng�g
The "Allow untrusted routing" option controls if Postfix will
forward mail with sender-specified routing
(user[@%!]remote[@%!]site) from untrusted clients to
destinations that are blessed by the relay_domains parameter.
By default, untrusted clients are not allowed to specify
routing. This closes a nasty open relay loophole where a backup
MX host can be tricked into forwarding junk mail to a primary MX
host which then spams it out to the world. This option sets the
"allow_untrusted_routing" postfix variable.
M�Ma�ap�ps�s r�rb�bl�ls�s d�do�om�ma�ai�in�ns�s
The "Maps rbls domains" option specifies an optional list of DNS
domains that publish the network addresses of blacklisted hosts.
By default, RBL blacklist lookups are disabled. See the
smtpd_client_restrictions parameter.
The real-time blackhole list works as follows: reverse the
client network address, and reject service if it is listed below
any of the following domains. This option sets the
"maps_rbl_domains" postfix variable.
R�Re�el�la�ay�y d�do�om�ma�ai�in�ns�s
The "Relay domains" option restricts what client hostname
domains (and subdomains thereof) this mail system will relay
mail from, and restricts what destination domains (and
subdomains thereof) this system will relay mail to.
By default, Postfix relays mail - from trusted clients whose IP
address matches "Networks", - from trusted clients matching
$relay_domains or subdomains thereof, - from untrusted clients
to destinations that match "Relay domains" or subdomains
thereof, except addresses with sender-specified routing. The
default "Relay domains" value is $mydestination.
In addition to the above, the Postfix SMTP server by default
accepts mail that Postfix is final destination for: -
destinations that match "Network Interface", - destinations that
match "Destination" - destinations that match "Virtual maps".
These destinations do not need to be listed in "Relay domains
option.
Specify a list of hosts or domains, /file/name patterns or
type:name lookup tables, separated by commas and/or whitespace.
A file name is replaced by its contents; a type:name table is
matched when a (parent) domain appears as lookup key. This
option sets the "relay_domains" postfix variable.
NOTE: Postfix will not automatically forward mail for domains
that list this system as their primary or backup MX host. See
the "permit mx backup" restriction, in the description of the
"Smtpd recipient restrictions" option.
R�Re�el�la�ay�y h�ho�os�st�t
The "Relay host" option specifies the default host to send mail
to when no entry is matched in the optional transport(5) table.
When no relayhost is given, mail is routed directly to the
destination.
On an intranet, specify the organizational domain name. If your
internal DNS uses no MX records, specify the name of the
intranet gateway host instead.
Specify a domain, host, host:port, [address] or [address:port].
Use the form [destination] to turn off MX lookups. See also the
default_transport parameter if you're connected via UUCP. This
option sets the "relayhost" postfix variable.
4�4.�. S�Sm�mt�tp�pd�d r�re�es�st�tr�ri�ic�ct�ti�io�on�n
S�Sm�mt�tp�pd�d e�et�tr�rn�n r�re�es�st�tr�ri�ic�ct�ti�io�on�n
The "Smtpd etrn restriction" option restricts what clients are
allowed to issue the ETRN command. The present Postfix ETRN
differs from other ETRN implementations in that it flushes mail
for all destinations. This will change in the future.
The default is to allow ETRN from any host. The following
restrictions are available:
-reject the request if the client hostname is unknown. -permit
if the client address matches "Networks". -check_client_access
maptype:mapname -maptype:mapname: look up client name, parent
domains, client address, or networks obtained by stripping
octets. Reject if result is REJECT or "[45]xx text" Permit
otherwise. -reject if the client is listed under Maps rbl
domains". -reject the request. Place this at the end of a
restriction. -permit the request. Place this at the end of a
restriction.
This option sets the "smtpd_etrn_restriction" postfix variable.
S�Sm�mt�tp�pd�d s�se�en�nd�de�er�r r�re�es�st�tr�ri�ic�ct�ti�io�on�n
The "Smtpd sender restriction" option specifies optional
restrictions on sender addresses that SMTP clients can send in
MAIL FROM commands.
The default is to permit any sender address. The following
restrictions are available:
-permit if the client address matches "Networks". -reject the
request if the client hostname is unknown. -reject if the
client is listed under $maps_rbl_domains. -reject HELO hostname
with bad syntax. -reject HELO hostname without DNS A or MX
record. -reject sender domain without A or MX record.
-check_sender_access maptype:mapname -maptype:mapname: look up
sender address, parent domain, or localpart@. Reject if result
is REJECT or "[45]xx text" Permit otherwise.
-check_client_access maptype:mapname: see
smtpd_client_restrictions. -check_helo_access maptype:mapname:
see smtpd_helo_restrictions. -reject HELO hostname that is not
in FQDN form -reject sender address that is not in FQDN form
-reject the request. Place this at the end of a restriction.
-permit the request. Place this at the end of a restriction.
Restrictions are applied in the order as specified; the first
restriction that matches wins. This option sets the
"smtpd_sender_restriction" postfix variable.
S�Sm�mt�tp�pd�d c�cl�li�ie�en�nt�t r�re�es�st�tr�ri�ic�ct�ti�io�on�n
The "Smtpd client restriction" option specifies optional
restrictions on SMTP client host names and addresses.
The default is to allow connections from any host. The
following restrictions are available:
-reject the request if the client hostname is unknown. -permit
if the client address matches "Networks". -check_client_access
maptype:mapname -maptype:mapname: look up client name, parent
domains, client address, or networks obtained by stripping
octets. Reject if result is REJECT or "[45]xx text" Permit
otherwise. -reject if the client is listed under
$maps_rbl_domains. -reject the request. Place this at the end
of a restriction. -permit the request. Place this at the end of
a restriction.
Restrictions are applied in the order as specified; the first
restriction that matches wins. This option sets the
"smtpd_client_restriction" postfix variable.
S�Sm�mt�tp�pd�d h�he�el�lo�o r�re�es�st�tr�ri�ic�ct�ti�io�on�n
The smtpd_helo_restrictions parameter specifies optional
restrictions on what SMTP clients can send in SMTP HELO and EHLO
commands.
The default is to permit everything. The following restrictions
are available:
-permit if the client address matches $mynetworks. -reject the
request if the client hostname is unknown. -reject if the
client is listed under "Maps rbl domains". -reject HELO
hostname with bad syntax. -reject HELO hostname without DNS A
or MX record. -reject HELO hostname that is not in FQDN form
-check_helo_access maptype:mapname -look up HELO hostname or
parent domains. Reject if result is REJECT or "[45]xx text"
Permit otherwise. -check_client_access maptype:mapname: see
"Smtpd client restrictions". -reject the request. Place this at
the end of a restriction. -permit the request. Place this at
the end of a restriction.
Restrictions are applied in the order as specified; the first
restriction that matches wins. This option sets the
"smtpd_helo_restrictions" postfix variable.
S�Sm�mt�tp�pd�d r�re�ec�ci�ip�pi�ie�en�nt�t r�re�es�st�tr�ri�ic�ct�ti�io�on�n
The "Smtpd recipient restriction" option specifies restrictions
on recipient addresses that SMTP clients can send in RCPT TO
commands.
By default, Postfix relays mail - from trusted clients whose IP
address matches "Networks", - from trusted clients matching
"Relay domains" or subdomains thereof, - from untrusted clients
to destinations that match "Relay domains" or subdomains
thereof, except addresses with sender-specified routing. The
default relay_domains value is "Destination".
In addition to the above, the Postfix SMTP server by default
accepts mail that Postfix is final destination for: -
destinations that match "Network Interface", - destinations that
match "Destination" - destinations that match "Virtual maps".
These destinations do not need to be listed in "Relay domains".
The following restrictions are available (* is part of default
setting):
-*permit if the client address matches $mynetworks. -reject the
request if the client hostname is unknown. -reject if the
client is listed under $maps_rbl_domains. -reject HELO hostname
with bad syntax. -reject HELO hostname without DNS A or MX
record. -reject sender domain without A or MX record.
-*check_relay_domains: permit only mail - to destinations
matching "Network Interface", "Destination", or "Virtual maps",
- from trusted clients matching "Relay domains" or subdomain
thereof, - from untrusted clients to destinations matching
"Relay domains" or subdomain thereof (except addresses with
sender-specified routing), Reject anything else. -permit auth
destination: permit mail - to destinations matching "Network
Interface", "Destination" or "Virtual Maps. - to destinations
matching "Relay Domains" or subdomain thereof, except for
addresses with sender-specified routing. -reject mail unless it
is sent - to destinations matching "Network Interface",
"Destination" or $virtual_maps. - to destinations matching
$relay_domains or subdomain thereof, except for addresses with
sender-specified routing. -reject mail from improperly
pipelining spamware -accept mail for sites that list me as MX
host. -reject domains without A or MX record.
-check_recipient_access maptype:mapname -maptype:mapname: look
up recipient address, parent domain, or localpart@. Reject if
result is REJECT or "[45]xx text" Permit otherwise.
-check_client_access maptype:mapname: see "Smtpd client
restrictions". -check_helo_access maptype:mapname: see "Smtpd
helo restrictions". -check_sender_access maptype:mapname: see
"Smtpd sender restrictions" -reject HELO hostname that is not in
FQDN form. -reject sender address that is not in FQDN form.
-reject recipient address that is not in FQDN form. -reject the
request. Place this at the end of a restriction. -permit the
request. Place this at the end of a restriction.
Restrictions are applied in the order as specified; the first
restriction that matches wins. This option sets the
"smtpd_recipient_restrictions" postfix variable.
NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING
RESTRICTIONS OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL:
|
