diff options
| -rwxr-xr-x | postfix/anti-uce.sh | 19 | ||||
| -rw-r--r-- | postfix/maps_rbl_domains (renamed from postfix/rbl_lookup_hosts) | 0 | ||||
| -rw-r--r-- | postfix/smtpd_recipient_restrictions | 12 |
3 files changed, 25 insertions, 6 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh index a06ebac..6eaca24 100755 --- a/postfix/anti-uce.sh +++ b/postfix/anti-uce.sh @@ -1,12 +1,19 @@ -#!/bin/sh +#!/bin/bash -mapsfile="/etc/local-COMMON/postfix/rbl_lookup_hosts" -maps=`cat $mapsfile | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/[, ]\+/,/g' -e 's/,$//'` +set -e -postconf -e "smtpd_helo_required = no" # Requiring Helo causes false positives, even for local daemons +paramdir="/etc/local-COMMON/postfix" + +function getlinefromfile() { + param="$1" + echo -n "$param = " + cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/[, ]\+/,/g' -e 's/,$//' +} + +postconf -e "smtpd_helo_required = yes" postconf -e "permit_mx_backup_networks = /etc/local-COMMON/postfix/mx_networks" -postconf -e "maps_rbl_domains = $maps" -postconf -e "smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,permit_mynetworks,permit_mx_backup,reject_unauth_destination,reject_maps_rbl,reject" +postconf -e "`getlinefromfile maps_rbl_domains`" +postconf -e "`getlinefromfile smtpd_recipient_restrictions`" /etc/init.d/postfix reload diff --git a/postfix/rbl_lookup_hosts b/postfix/maps_rbl_domains index 53ded7c..53ded7c 100644 --- a/postfix/rbl_lookup_hosts +++ b/postfix/maps_rbl_domains diff --git a/postfix/smtpd_recipient_restrictions b/postfix/smtpd_recipient_restrictions new file mode 100644 index 0000000..ec48c9a --- /dev/null +++ b/postfix/smtpd_recipient_restrictions @@ -0,0 +1,12 @@ +reject_invalid_hostname +#reject_non_fqdn_hostname # These should only be enabled on a true mailhub (even some Debian daemons expect to be able to deliver to localhost) +#reject_non_fqdn_sender +#reject_non_fqdn_recipient +reject_unknown_sender_domain +reject_unknown_recipient_domain +reject_unauth_pipelining +permit_mynetworks +permit_mx_backup +reject_unauth_destination +reject_maps_rbl +reject # Not really needed, but just to be on the safe side... |