1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
# smtpd checks for incoming mail on smtp port 25 and
# mail sent via the bitmask client using smtps port 465
class site_postfix::mx::smtpd_checks {
postfix::config {
'smtpd_helo_required':
value => 'yes';
'checks_dir':
value => '$config_directory/checks';
'smtpd_client_restrictions':
value => "permit_mynetworks,${site_postfix::mx::rbls},permit";
'smtpd_data_restrictions':
value => 'permit_mynetworks, reject_unauth_pipelining, permit';
'smtpd_delay_reject':
value => 'yes';
'smtpd_helo_restrictions':
value => 'permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_recipient_restrictions':
value => 'reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
# permit_tls_clientcerts will lookup client cert fingerprints from the tcp
# lookup on port 2424 (based on what is configured in relay_clientcerts
# paramter, see site_postfix::mx postfix::config resource) to determine
# if a client is allowed to relay mail through us. This enables us to
# disable a user by removing their valid client cert (#3634)
'smtps_recipient_restrictions':
value => 'permit_tls_clientcerts, check_recipient_access tcp:localhost:2244, reject_unauth_destination, permit';
'smtps_relay_restrictions':
value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
'smtps_helo_restrictions':
value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
'smtpd_sender_restrictions':
value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
}
}
|
