[BlueOnyx:24491] Re: Postfix config
Michael Stauber
mstauber at blueonyx.it
Wed Nov 11 23:24:15 -05 2020
Hi Ernie,
> this is the first config that I noticed was getting overwritten
>
> smtpd_sender_restrictions =
> permit_mynetworks
> reject_unknown_sender_domain
> reject_non_fqdn_sender
> reject_non_fqdn_hostname
> reject_unknown_reverse_client_hostname
> reject_unknown_client_hostname
> reject_rbl_client cbl.abuseat.org
> check_sender_access hash:/etc/postfix/access
>
>
> It gets changed back to just smtpd_sender_restrictions = reject_unknown_sender_domain
>
> I see that you use postscreen for the rbl which is ok, so I can delete that
> line from my smtpd_sender_restrictions.
Yeah, we have the RBLs in postscreen.
You've seen that /etc/postfix/access is auto-generated on each Postfix
restart? That's done this way:
cat /etc/mail/access|grep -v ^#|grep -v -e '^$'| sed
's at ERROR:.*$@REJECT at g'| sed 's at 550.*$@REJECT at g'|sed '/^\s*$/d'|grep -v
localhost|grep -v ::1|grep -v 127.0.0.1 > /etc/postfix/access
But that should work well with your 'check_sender_access
hash:/etc/postfix/access' anyway.
Aside from the RBL entry in your 'smtpd_sender_restrictions' this all
looks good and I could add it as is into our config generator, as it
seems sensible.
If you agree, then I would make this the new default config:
smtpd_sender_restrictions =
permit_mynetworks
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_non_fqdn_hostname
reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
check_sender_access hash:/etc/postfix/access
But if the new checkbox "Accept from unresolvable domains" is ticked in
the GUI ("Server Management" / "Network Services" / "Email" / "Advanced"
it's changed to this:
smtpd_sender_restrictions =
permit_mynetworks
check_sender_access hash:/etc/postfix/access
We do have some users that run BlueOnyx in DMZ's with mixed public and
private traffic. And the private senders might not have proper DNS.
Any thoughts or objections to this change?
Additionally I'm thinking of adding an include to the script that
dynamically generates the Postfix configuration. Something like this:
-----------------------------------------------------------
#> cat /usr/sausalito/bin/blueonyx-postfix
#!/bin/sh
if [ -f /usr/sausalito/bin/blueonyx-postfix-confgen ];then
/usr/sausalito/bin/blueonyx-postfix-confgen &>/dev/null || :
fi
# Any 'postconf' overrides can be performed via this custom script:
if [ -f /root/custom-postfix-confgen.sh ];then
/root/custom-postfix-confgen.sh &>/dev/null || :
fi
-----------------------------------------------------------
That way you could create your own /root/custom-postfix-confgen file and
could put all the "postconf -e" commands into it that you want to apply
to the Postfix configuration *after* the auto-configure has run. That
would allow you to override any Postfix setting and make it stick
through updates and other changes.
Whenever Postfix is restarted, it would then auto-configure Postfix and
(if present) would execute the /root/custom-postfix-confgen.sh that you
substitute yourself.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list