[postfix-users] Spam-Relay via gekapertem Useraccount
Jakob-Matthias Böttger
jakob.boettger at mailbox.org
Do Aug 21 09:11:08 CEST 2014
Hallo,
eine Möglichkeit die mir jetzt einfällt wäre folgendes.
Auf dem smtpd 25 die permit_sasl_authenticated rauszunehmen.
Also in smtpd_recipient_restrictions =
permit_tls_clientcerts,
check_sender_access hash:/etc/postfix/whitelist,
check_sender_access regexp:/etc/postfix/tag_as_originating.re,
check_sender_access regexp:/etc/postfix/tag_as_foreign.re,
reject_non_fqdn_hostname,
reject_unknown_reverse_client_hostname,
reject_unauth_destination,
reject_rbl_client cbl.abuseat.org
Dann in der Master.cf Submission einrichten.
Submission mittels -o permit_sasl_authenticated, und den Anderen
recipient_restrictions einstellen und dann mittels der xtables iptables
extension und GeoIP auf dem Submission (tcp 587) z.B. die Ukraine
(95.132.60.248 ist aus der Ukraine) aussperren. Es sei denn du hast
Kunden oder Nutzer welche aus der Ukranine per Submission Mails
versenden müssen. Weiterhin müssen natürlich alle Benutzer deines
Mailsystems Ihre Clients so einrichten, dass sie über den Submission
einliefern.
Somit können aus der ganzen Welt normal Mails über deinen Server
eingeliefert werden (25 tcp).
Authentifizierte Nutzer aus Dialup Netzwerken können aber nur aus den
freigegebenen Regionen einliefern.
Das Problem des gekaperten Passwortes löst das aber leider noch nicht.
VG Jakob
Am 21.08.2014 um 07:59 schrieb Matthias Schmidt:
> Hallo,
> ich seh in meinem log viele viele mails, die von irgendwoher kommen und meist an französische yohoo Adressen gehen.
>
> ich hab den Server via http://mxtoolbox.com/ getestet und das Tool sagt kein Open Relay.
>
> Nachdem ich dem noch weiter in den Logs gewühlt habe, sieht es so aus als ob ein User-Account geknackt wurde.
> Das entsprechende Passwort hab ich gleich mal geändert.
>
> amavis wirft entsprechend folgende Warnung aus:
> Open relay? Nonlocal recips but not originating
> Kann ich das irgendwie unterbinden, so dass das senden nur von lokalen Account aus erlaubt ist, trotz geknacktem login?
>
>
> Im log sieht das so aus:
>
> Aug 21 14:22:52 mcgregor postfix/smtpd[61457]: connect from 248-60-132-95.pool.ukrtel.net[95.132.60.248]
> Aug 21 14:22:55 mcgregor postfix/smtpd[61457]: BD714344E77: client=248-60-132-95.pool.ukrtel.net[95.132.60.248], sasl_method=LOGIN, sasl_username=xxxxxxx
> Aug 21 14:23:00 mcgregor postfix/cleanup[60895]: BD714344E77: message-id=<B3A6F10C541CA98284500355DD992F56 at schmidt-system.de>
> Aug 21 14:23:00 mcgregor postfix/qmgr[52031]: BD714344E77: from=<xavierjoly20 at yahoo.com>, size=1663, nrcpt=8 (queue active)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-03) process_request: fileno sock=15, STDIN=0, STDOUT=1
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ESMTP::10024 /var/amavis/tmp/amavis-20140821T141253-54462: <xavierjoly20 at yahoo.com> -> <isabelle.andpae at gmail.com>,<fruleux.svt at laposte.net>,<juliette.jamey at laposte.net>,<legendre.jeanphilippe at neuf.fr>,<bailleulcastelain at nordnet.fr>,<gerardcourbet at sfr.fr>,<s.rey at we-ef.com>,<juliesaerens at yahoo.fr> SIZE=1663 Received: from mcgregor.admilon.net ([127.0.0.1]) by localhost (mcgregor.admilon.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Thu, 21 Aug 2014 14:23:00 +0900 (JST)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3, state: 1
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) smtp connection cache, dt: 214.3 -> disabling
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) body hash: ebb4b50a64e9df85ce48d1c539e100c0
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking: enF3iG7mT0bU [95.132.60.248] <xavierjoly20 at yahoo.com> -> <isabelle.andpae at gmail.com>,<fruleux.svt at laposte.net>,<juliette.jamey at laposte.net>,<legendre.jeanphilippe at neuf.fr>,<bailleulcastelain at nordnet.fr>,<gerardcourbet at sfr.fr>,<s.rey at we-ef.com>,<juliesaerens at yahoo.fr>
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) 2822.From: <xavierjoly20 at yahoo.com>
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Open relay? Nonlocal recips but not originating: isabelle.andpae at gmail.com, fruleux.svt at laposte.net, juliette.jamey at laposte.net, legendre.jeanphilippe at neuf.fr, bailleulcastelain at nordnet.fr, gerardcourbet at sfr.fr, s.rey at we-ef.com, juliesaerens at yahoo.fr
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p003 1 Content-Type: multipart/alternative
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p001 1/1 Content-Type: text/plain, size: 39 B, name:
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p002 1/2 Content-Type: text/html, size: 148 B, name:
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) Checking for banned types and filenames
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: isabelle.andpae at gmail.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: fruleux.svt at laposte.net, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: juliette.jamey at laposte.net, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: legendre.jeanphilippe at neuf.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: bailleulcastelain at nordnet.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: gerardcourbet at sfr.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: s.rey at we-ef.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) collect banned table[0]: juliesaerens at yahoo.fr, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x100e0eea8)
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path isabelle.andpae at gmail.com: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path fruleux.svt at laposte.net: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path juliette.jamey at laposte.net: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path legendre.jeanphilippe at neuf.fr: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path bailleulcastelain at nordnet.fr: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path gerardcourbet at sfr.fr: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path s.rey at we-ef.com: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path juliesaerens at yahoo.fr: "P=p003,L=1,M=multipart/alternative | P=p001,L=1/1,M=text/plain,T=asc"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path isabelle.andpae at gmail.com: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path fruleux.svt at laposte.net: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path juliette.jamey at laposte.net: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path legendre.jeanphilippe at neuf.fr: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path bailleulcastelain at nordnet.fr: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path gerardcourbet at sfr.fr: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path s.rey at we-ef.com: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) p.path juliesaerens at yahoo.fr: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ask_av Using (ClamAV-clamd): CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Connecting to socket /var/amavis/clamd
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20140821T141253-54462/parts\n to UNIX socket /var/amavis/clamd
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd): CLEAN
> Aug 21 14:23:00 mcgregor amavis[54462]: (54462-04) run_av (ClamAV-clamd) result: clean
>
>
> Hier meine postconf-n:
> 2bounce_notice_recipient = postmaster
> access_map_reject_code = 554
> address_verify_default_transport = $default_transport
> address_verify_local_transport = $local_transport
> address_verify_map =
> address_verify_negative_cache = yes
> address_verify_negative_expire_time = 3d
> address_verify_negative_refresh_time = 3h
> address_verify_poll_count = 3
> address_verify_poll_delay = 3s
> address_verify_positive_expire_time = 31d
> address_verify_positive_refresh_time = 7d
> address_verify_relay_transport = $relay_transport
> address_verify_relayhost = $relayhost
> address_verify_sender = $double_bounce_sender
> address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
> address_verify_service_name = verify
> address_verify_transport_maps = $transport_maps
> address_verify_virtual_transport = $virtual_transport
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
> allow_mail_to_commands = alias, forward
> allow_mail_to_files = alias, forward
> always_bcc =
> anvil_rate_time_unit = 60s
> anvil_status_update_time = 600s
> application_event_drain_time = 100s
> authorized_flush_users = static:anyone
> authorized_mailq_users = static:anyone
> authorized_submit_users = static:anyone
> backwards_bounce_logfile_compatibility = yes
> berkeley_db_create_buffer_size = 16777216
> berkeley_db_read_buffer_size = 131072
> best_mx_transport =
> body_checks_size_limit = 51200
> bounce_notice_recipient = postmaster
> bounce_queue_lifetime = 5d
> bounce_service_name = bounce
> bounce_size_limit = 50000
> bounce_template_file =
> canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
> check_for_od_forward = yes
> cleanup_service_name = cleanup
> command_directory = /usr/sbin
> command_execution_directory =
> command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> command_time_limit = 1000s
> config_directory = /etc/postfix
> connection_cache_protocol_timeout = 5s
> connection_cache_service_name = scache
> connection_cache_status_update_time = 600s
> connection_cache_ttl_limit = 2s
> content_filter = smtp-amavis:[127.0.0.1]:10024
> cyrus_sasl_config_path =
> daemon_directory = /usr/libexec/postfix
> daemon_timeout = 18000s
> data_directory = /var/lib/postfix
> debug_peer_level = 5
> debug_peer_list =
> default_database_type = hash
> default_delivery_slot_cost = 5
> default_delivery_slot_discount = 50
> default_delivery_slot_loan = 3
> default_destination_concurrency_failed_cohort_limit = 1
> default_destination_concurrency_limit = 20
> default_destination_concurrency_negative_feedback = 1
> default_destination_concurrency_positive_feedback = 1
> default_destination_rate_delay = 0s
> default_destination_recipient_limit = 50
> default_extra_recipient_limit = 1000
> default_minimum_delivery_slots = 3
> default_privs = nobody
> default_process_limit = 100
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
> default_recipient_limit = 20000
> default_recipient_refill_delay = 5s
> default_recipient_refill_limit = 100
> default_transport = smtp
> default_verp_delimiters = +=
> defer_code = 450
> defer_service_name = defer
> defer_transports =
> delay_logging_resolution_limit = 2
> delay_notice_recipient = postmaster
> delay_warning_time = 0h
> deliver_lock_attempts = 20
> deliver_lock_delay = 1s
> destination_concurrency_feedback_debug = no
> detect_8bit_encoding_header = yes
> dont_remove = 0
> double_bounce_sender = double-bounce
> duplicate_filter_limit = 1000
> empty_address_recipient = MAILER-DAEMON
> empty_address_relayhost_maps_lookup_key = <>
> enable_original_recipient = yes
> enable_server_options = yes
> error_notice_recipient = postmaster
> error_service_name = error
> execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> export_environment = TZ MAIL_CONFIG LANG
> fallback_transport =
> fallback_transport_maps =
> fast_flush_domains = $relay_domains
> fast_flush_purge_time = 7d
> fast_flush_refresh_time = 12h
> fault_injection_code = 0
> flush_service_name = flush
> fork_attempts = 5
> fork_delay = 1s
> forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
> forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
> frozen_delivered_to = yes
> hash_queue_depth = 1
> hash_queue_names = deferred,defer
> header_address_token_limit = 10240
> header_checks = pcre:/etc/postfix/custom_header_checks
> header_size_limit = 102400
> hopcount_limit = 50
> html_directory = no
> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
> in_flow_delay = 1s
> inet_interfaces = all
> inet_protocols = ipv4
> initial_destination_concurrency = 5
> internal_mail_filter_classes =
> invalid_hostname_reject_code = 501
> ipc_idle = 5s
> ipc_timeout = 3600s
> ipc_ttl = 1000s
> line_length_limit = 2048
> lmtp_bind_address =
> lmtp_bind_address6 =
> lmtp_body_checks =
> lmtp_cname_overrides_servername = no
> lmtp_connect_timeout = 0s
> lmtp_connection_cache_destinations =
> lmtp_connection_cache_on_demand = yes
> lmtp_connection_cache_time_limit = 2s
> lmtp_connection_reuse_time_limit = 300s
> lmtp_data_done_timeout = 600s
> lmtp_data_init_timeout = 120s
> lmtp_data_xfer_timeout = 180s
> lmtp_defer_if_no_mx_address_found = no
> lmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
> lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> lmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> lmtp_destination_rate_delay = $default_destination_rate_delay
> lmtp_destination_recipient_limit = $default_destination_recipient_limit
> lmtp_discard_lhlo_keyword_address_maps =
> lmtp_discard_lhlo_keywords =
> lmtp_enforce_tls = no
> lmtp_generic_maps =
> lmtp_header_checks =
> lmtp_host_lookup = dns
> lmtp_initial_destination_concurrency = $initial_destination_concurrency
> lmtp_lhlo_name = $myhostname
> lmtp_lhlo_timeout = 300s
> lmtp_line_length_limit = 990
> lmtp_mail_timeout = 300s
> lmtp_mime_header_checks =
> lmtp_mx_address_limit = 5
> lmtp_mx_session_limit = 2
> lmtp_nested_header_checks =
> lmtp_pix_workaround_delay_time = 10s
> lmtp_pix_workaround_maps =
> lmtp_pix_workaround_threshold_time = 500s
> lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> lmtp_quit_timeout = 300s
> lmtp_quote_rfc821_envelope = yes
> lmtp_randomize_addresses = yes
> lmtp_rcpt_timeout = 300s
> lmtp_rset_timeout = 20s
> lmtp_sasl_auth_cache_name =
> lmtp_sasl_auth_cache_time = 90d
> lmtp_sasl_auth_soft_bounce = yes
> lmtp_sasl_mechanism_filter =
> lmtp_sasl_path =
> lmtp_sasl_security_options = noplaintext, noanonymous
> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
> lmtp_sasl_type = cyrus
> lmtp_send_xforward_command = no
> lmtp_sender_dependent_authentication = no
> lmtp_skip_5xx_greeting = yes
> lmtp_starttls_timeout = 300s
> lmtp_tcp_port = 24
> lmtp_tls_CAfile =
> lmtp_tls_CApath =
> lmtp_tls_cert_file =
> lmtp_tls_dcert_file =
> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
> lmtp_tls_enforce_peername = yes
> lmtp_tls_exclude_ciphers =
> lmtp_tls_fingerprint_cert_match =
> lmtp_tls_fingerprint_digest = md5
> lmtp_tls_key_file = $lmtp_tls_cert_file
> lmtp_tls_loglevel = 0
> lmtp_tls_mandatory_ciphers = medium
> lmtp_tls_mandatory_exclude_ciphers =
> lmtp_tls_mandatory_protocols = SSLv3, TLSv1
> lmtp_tls_note_starttls_offer = no
> lmtp_tls_per_site =
> lmtp_tls_policy_maps =
> lmtp_tls_scert_verifydepth = 9
> lmtp_tls_secure_cert_match = nexthop
> lmtp_tls_security_level =
> lmtp_tls_session_cache_database =
> lmtp_tls_session_cache_timeout = 3600s
> lmtp_tls_verify_cert_match = hostname
> lmtp_use_tls = no
> lmtp_xforward_timeout = 300s
> local_command_shell =
> local_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> local_destination_concurrency_limit = 2
> local_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> local_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> local_destination_rate_delay = $default_destination_rate_delay
> local_destination_recipient_limit = 1
> local_header_rewrite_clients = permit_inet_interfaces
> local_initial_destination_concurrency = $initial_destination_concurrency
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> local_transport = local:$myhostname
> luser_relay =
> mail_name = Postfix
> mail_owner = _postfix
> mail_release_date = 20080902
> mail_spool_directory = /var/mail
> mail_version = 2.5.5
> mailbox_command =
> mailbox_command_maps =
> mailbox_delivery_lock = flock, dotlock
> mailbox_size_limit = 0
> mailbox_transport = dovecot
> mailbox_transport_maps =
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> maps_rbl_domains =
> maps_rbl_reject_code = 554
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions =
> max_idle = 100s
> max_use = 100
> maximal_backoff_time = 4000s
> maximal_queue_lifetime = 5d
> message_reject_characters =
> message_size_limit = 41943040
> message_strip_characters =
> milter_command_timeout = 30s
> milter_connect_macros = j {daemon_name} v
> milter_connect_timeout = 30s
> milter_content_timeout = 300s
> milter_data_macros = i
> milter_default_action = tempfail
> milter_end_of_data_macros = i
> milter_end_of_header_macros = i
> milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
> milter_macro_daemon_name = $myhostname
> milter_macro_v = $mail_name $mail_version
> milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
> milter_protocol = 2
> milter_rcpt_macros = i {rcpt_addr}
> milter_unknown_command_macros =
> mime_boundary_length_limit = 2048
> mime_header_checks = $header_checks
> mime_nesting_limit = 100
> minimal_backoff_time = 300s
> multi_recipient_bounce_reject_code = 550
> mydestination = $myhostname, localhost.$mydomain, localhost, mail.$mydomain, liste.$mydomain, $mydomain
> mydomain = admilon.net
> mydomain_fallback = localhost
> myhostname = mcgregor.admilon.net
> mynetworks = 127.0.0.0/8,192.168.2.0/24,192.168.1.0/24
> mynetworks_style = host
> myorigin = $myhostname
> nested_header_checks = $header_checks
> newaliases_path = /usr/bin/newaliases
> non_fqdn_reject_code = 504
> non_smtpd_milters =
> notify_classes = resource, software
> owner_request_special = no
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
> permit_mx_backup_networks =
> pickup_service_name = pickup
> plaintext_reject_code = 450
> prepend_delivered_header = command, file, forward
> process_id_directory = pid
> propagate_unmatched_extensions = canonical, virtual
> proxy_interfaces =
> proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
> proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
> qmgr_clog_warn_time = 300s
> qmgr_fudge_factor = 100
> qmgr_message_active_limit = 20000
> qmgr_message_recipient_limit = 20000
> qmgr_message_recipient_minimum = 10
> qmqpd_authorized_clients =
> qmqpd_client_port_logging = no
> qmqpd_error_delay = 1s
> qmqpd_timeout = 300s
> queue_directory = /private/var/spool/postfix
> queue_file_attribute_count_limit = 100
> queue_minfree = 0
> queue_run_delay = 300s
> queue_service_name = qmgr
> rbl_reply_maps =
> readme_directory = /usr/share/doc/postfix
> receive_override_options =
> recipient_bcc_maps =
> recipient_canonical_classes = envelope_recipient, header_recipient
> recipient_delimiter = +
> reject_code = 554
> relay_clientcerts =
> relay_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> relay_destination_concurrency_limit = $default_destination_concurrency_limit
> relay_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> relay_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> relay_destination_rate_delay = $default_destination_rate_delay
> relay_destination_recipient_limit = $default_destination_recipient_limit
> relay_domains = $mydestination
> relay_domains_reject_code = 554
> relay_initial_destination_concurrency = $initial_destination_concurrency
> relay_recipient_maps =
> relay_transport = relay
> relayhost =
> relocated_maps =
> remote_header_rewrite_domain =
> resolve_null_domain = no
> resolve_numeric_domain = no
> rewrite_service_name = rewrite
> sample_directory = /usr/share/doc/postfix/examples
> send_cyrus_sasl_authzid = no
> sender_bcc_maps =
> sender_canonical_classes = envelope_sender, header_sender
> sender_canonical_maps =
> sender_dependent_relayhost_maps =
> sendmail_path = /usr/sbin/sendmail
> service_throttle_time = 60s
> setgid_group = _postdrop
> showq_service_name = showq
> smtp_bind_address6 =
> smtp_body_checks =
> smtp_cname_overrides_servername = no
> smtp_connect_timeout = 30s
> smtp_connection_cache_destinations =
> smtp_connection_cache_on_demand = yes
> smtp_connection_cache_time_limit = 2s
> smtp_connection_reuse_time_limit = 300s
> smtp_data_done_timeout = 600s
> smtp_data_init_timeout = 120s
> smtp_data_xfer_timeout = 180s
> smtp_defer_if_no_mx_address_found = no
> smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> smtp_destination_concurrency_limit = $default_destination_concurrency_limit
> smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> smtp_destination_rate_delay = $default_destination_rate_delay
> smtp_destination_recipient_limit = $default_destination_recipient_limit
> smtp_discard_ehlo_keyword_address_maps =
> smtp_discard_ehlo_keywords =
> smtp_fallback_relay = $fallback_relay
> smtp_generic_maps =
> smtp_header_checks =
> smtp_helo_name = $myhostname
> smtp_helo_timeout = 300s
> smtp_host_lookup = dns
> smtp_initial_destination_concurrency = $initial_destination_concurrency
> smtp_line_length_limit = 990
> smtp_mail_timeout = 300s
> smtp_mime_header_checks =
> smtp_mx_address_limit = 5
> smtp_mx_session_limit = 2
> smtp_nested_header_checks =
> smtp_pix_workaround_delay_time = 10s
> smtp_pix_workaround_maps =
> smtp_pix_workaround_threshold_time = 500s
> smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
> smtp_quit_timeout = 300s
> smtp_quote_rfc821_envelope = yes
> smtp_rcpt_timeout = 300s
> smtp_rset_timeout = 20s
> smtp_sasl_auth_cache_name =
> smtp_sasl_auth_cache_time = 90d
> smtp_sasl_auth_soft_bounce = yes
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps =
> smtp_sasl_path =
> smtp_sasl_security_options = noplaintext, noanonymous
> smtp_sasl_tls_security_options = $smtp_sasl_security_options
> smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
> smtp_sasl_type = cyrus
> smtp_send_xforward_command = no
> smtp_sender_dependent_authentication = no
> smtp_starttls_timeout = 300s
> smtp_tls_CAfile =
> smtp_tls_CApath =
> smtp_tls_dcert_file =
> smtp_tls_dkey_file = $smtp_tls_dcert_file
> smtp_tls_enforce_peername = yes
> smtp_tls_exclude_ciphers =
> smtp_tls_fingerprint_cert_match =
> smtp_tls_fingerprint_digest = md5
> smtp_tls_key_file = $smtp_tls_cert_file
> smtp_tls_loglevel = 0
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_exclude_ciphers =
> smtp_tls_mandatory_protocols = SSLv3, TLSv1
> smtp_tls_note_starttls_offer = yes
> smtp_tls_per_site =
> smtp_tls_policy_maps =
> smtp_tls_scert_verifydepth = 9
> smtp_tls_secure_cert_match = nexthop, dot-nexthop
> smtp_tls_session_cache_database =
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_verify_cert_match = hostname
> smtp_use_tls = no
> smtp_xforward_timeout = 300s
> smtpd_authorized_verp_clients = $authorized_verp_clients
> smtpd_authorized_xclient_hosts =
> smtpd_authorized_xforward_hosts =
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_connection_count_limit = 50
> smtpd_client_connection_rate_limit = 0
> smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
> smtpd_client_message_rate_limit = 0
> smtpd_client_new_tls_session_rate_limit = 10
> smtpd_client_port_logging = no
> smtpd_client_recipient_rate_limit = 0
> smtpd_client_restrictions =
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_delay_open_until_valid_rcpt = yes
> smtpd_discard_ehlo_keyword_address_maps =
> smtpd_discard_ehlo_keywords =
> smtpd_end_of_data_restrictions =
> smtpd_enforce_tls = no
> smtpd_error_sleep_time = 1s
> smtpd_etrn_restrictions =
> smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
> smtpd_forbidden_commands = CONNECT GET POST
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
> smtpd_history_flush_threshold = 100
> smtpd_junk_command_limit = 100
> smtpd_milters =
> smtpd_noop_commands =
> smtpd_null_access_lookup_key = <>
> smtpd_peername_lookup = yes
> smtpd_policy_service_max_idle = 300s
> smtpd_policy_service_max_ttl = 1000s
> smtpd_policy_service_timeout = 100s
> smtpd_proxy_ehlo = $myhostname
> smtpd_proxy_filter =
> smtpd_proxy_timeout = 100s
> smtpd_pw_server_security_options = login,gssapi,cram-md5
> smtpd_recipient_limit = 1000
> smtpd_recipient_overshoot_limit = 1000
> smtpd_recipient_restrictions = permit_sasl_authenticated permit_tls_clientcerts check_sender_access hash:/etc/postfix/whitelist check_sender_access regexp:/etc/postfix/tag_as_originating.re check_sender_access regexp:/etc/postfix/tag_as_foreign.re reject_non_fqdn_hostname reject_unknown_reverse_client_hostname reject_unauth_destination reject_rbl_client cbl.abuseat.org
> smtpd_reject_unlisted_recipient = yes
> smtpd_reject_unlisted_sender = no
> smtpd_restriction_classes =
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_exceptions_networks =
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_type = cyrus
> smtpd_sender_login_maps =
> smtpd_sender_restrictions =
> smtpd_soft_error_limit = 10
> smtpd_starttls_timeout = 300s
> smtpd_timeout = 300s
> smtpd_tls_CAfile = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.chain.pem
> smtpd_tls_CApath =
> smtpd_tls_always_issue_session_ids = yes
> smtpd_tls_ask_ccert = no
> smtpd_tls_auth_only = no
> smtpd_tls_ccert_verifydepth = 9
> smtpd_tls_cert_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.cert.pem
> smtpd_tls_dcert_file =
> smtpd_tls_dh1024_param_file =
> smtpd_tls_dh512_param_file =
> smtpd_tls_dkey_file = $smtpd_tls_dcert_file
> smtpd_tls_exclude_ciphers =
> smtpd_tls_fingerprint_digest = md5
> smtpd_tls_key_file = /etc/certificates/mcgregor.admilon.net.31B2A8BE25A7A4BCEA17E4A2982578C3AC6E5419.key.pem
> smtpd_tls_loglevel = 0
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers =
> smtpd_tls_mandatory_protocols = SSLv3, TLSv1
> smtpd_tls_received_header = no
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database =
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_wrappermode = no
> smtpd_use_pw_server = yes
> smtpd_use_tls = yes
> stale_lock_time = 500s
> stress =
> strict_mailbox_ownership = yes
> syslog_facility = mail
> syslog_name = postfix
> tls_daemon_random_bytes = 32
> tls_export_cipherlist = ALL:+RC4:@STRENGTH
> tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
> tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
> tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
> tls_null_cipherlist = eNULL:!aNULL
> tls_random_bytes = 32
> tls_random_exchange_name = ${data_directory}/prng_exch
> tls_random_prng_update_period = 3600s
> tls_random_reseed_period = 3600s
> tls_random_source = dev:/dev/urandom
> trace_service_name = trace
> transport_maps =
> transport_retry_time = 60s
> trigger_timeout = 10s
> undisclosed_recipients_header = To: undisclosed-recipients:;
> unknown_address_reject_code = 450
> unknown_client_reject_code = 450
> unknown_hostname_reject_code = 450
> unknown_local_recipient_reject_code = 550
> unknown_relay_recipient_reject_code = 550
> unknown_virtual_alias_reject_code = 550
> unknown_virtual_mailbox_reject_code = 550
> unverified_recipient_reject_code = 450
> unverified_sender_reject_code = 450
> use_getpwnam_ext = yes
> use_od_delivery_path = no
> verp_delimiter_filter = -=+
> virtual_alias_domains = hash:/etc/postfix/virtual_domains
> virtual_alias_expansion_limit = 1000
> virtual_alias_maps = hash:/etc/postfix/virtual hash:/private/var/mailman/data/virtual-mailman
> virtual_alias_recursion_limit = 1000
> virtual_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limit
> virtual_destination_concurrency_limit = $default_destination_concurrency_limit
> virtual_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
> virtual_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
> virtual_destination_rate_delay = $default_destination_rate_delay
> virtual_destination_recipient_limit = $default_destination_recipient_limit
> virtual_gid_maps =
> virtual_initial_destination_concurrency = $initial_destination_concurrency
> virtual_mailbox_base =
> virtual_mailbox_domains = hash:/etc/postfix/virtual_domains_dummy
> virtual_mailbox_limit = 51200000
> virtual_mailbox_lock = fcntl, dotlock
> virtual_mailbox_maps =
> virtual_minimum_uid = 100
> virtual_transport = virtual
> virtual_uid_maps =
>
> Dank und Gruss
> Matthias
>
>
> _______________________________________________
> postfix-users mailing list
> postfix-users at de.postfix.org
> http://de.postfix.org/cgi-bin/mailman/listinfo/postfix-users
Mehr Informationen über die Mailingliste postfix-users