diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-06-11 16:35:31 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-11 16:35:31 +0200 |
| commit | 28b5b23c285511431923f22263f00ed0e5c19c1c (patch) | |
| tree | 9cd047e0a4ba244806532154117ae8db70e5adc2 | |
| parent | 56f58418111b90c254628a7631808f1511832f4d (diff) | |
Don't bounce unverified recipients upon 4xx errors.
We don't want to bounce messages for which the recipient(s)' MTA replies
451 due to some greylisting in place. We would like to accept 451
alone, but unfortunately it's not possible to bounce unverified
recipients due to DNS or networking errors.
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 3 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/main.cf.j2 | 1 |
3 files changed, 2 insertions, 4 deletions
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index 331753a..068a225 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -81,42 +81,41 @@ smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes -# UCE control -unknown_client_reject_code = 554 +unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_sasl_authenticated reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_recipient_restrictions = diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 11c8199..c911c05 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -104,42 +104,40 @@ smtpd_tls_ask_ccert = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 -unverified_recipient_reject_code = 554 -unverified_sender_reject_code = 554 postscreen_blacklist_action = drop postscreen_dnsbl_threshold = 3 postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*3 swl.spamhaus.org*-4 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_greet_action = enforce postscreen_whitelist_interfaces = !88.80.11.28 ![2a00:16b0:242:13::de30] static:all smtpd_client_restrictions = permit_mynetworks diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2 index 968e977..333e72e 100644 --- a/roles/out/templates/etc/postfix/main.cf.j2 +++ b/roles/out/templates/etc/postfix/main.cf.j2 @@ -51,40 +51,41 @@ smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache relay_clientcerts = cdb:$config_directory/relay_clientcerts smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 smtpd_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtpd_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_fingerprint_digest = sha256 strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes +unverified_recipient_defer_code = 250 unverified_recipient_reject_code = 550 smtpd_client_restrictions = permit_mynetworks permit_tls_clientcerts # We are the only ones using this proxy, but if things go wrong we # want to know why defer smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_relay_restrictions = permit_mynetworks permit_tls_clientcerts reject |