[Debian-NP-Commits] r161 - in trunk/packages/debian-np: configs/np-mail-server/postfix debian
micah
debian-np-devel@lists.alioth.debian.org
Tue, 06 Jul 2004 20:27:12 -0600
Author: micah-guest
Date: Tue Jul 6 20:27:11 2004
New Revision: 161
Modified:
trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf
trunk/packages/debian-np/debian/changelog
Log:
Fixed up the changelog so it is nicer.
Moved the check_helo_access allowance out of the smtpd_helo_restrictions
block of the main.cf for postfix because this keeps authorized SMTP
AUTH'd clients from being able to EHLO as your domain.
Modified: trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf
==============================================================================
--- trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf (original)
+++ trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf Tue Jul 6 20:27:11 2004
@@ -236,22 +236,22 @@
reject_rbl_client cbl.abuseat.org,
permit
-smtpd_helo_restrictions = reject_invalid_hostname,
- check_helo_access hash:$checks_dir/helo_checks,
+smtpd_helo_restrictions = permit_mynetworks,
+ reject_invalid_hostname,
permit
smtpd_sender_restrictions = permit_mynetworks,
+ permit_sasl_authenticated,
reject_invalid_hostname,
+ reject_non_fqdn_sender,
reject_unknown_sender_domain,
- permit_sasl_authenticated,
check_sender_access hash:$checks_dir/access,
+ check_helo_access hash:$checks_dir/helo_checks,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
- reject_non_fqdn_sender,
reject_non_fqdn_recipient,
- reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
Modified: trunk/packages/debian-np/debian/changelog
==============================================================================
--- trunk/packages/debian-np/debian/changelog (original)
+++ trunk/packages/debian-np/debian/changelog Tue Jul 6 20:27:11 2004
@@ -2,15 +2,33 @@
* NOT RELEASED YET
* Micah Anderson
- - np-mail-server: Added smtpd_data_restrictions and moved
- reject_unauth_pipelining into that check, as
- http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes:
- "For Postfix 2.x versions, reject_unauth_pipelining should always be
- placed in smtpd_data_restrictions, even if it's the only one you put
- there." - See FAQ Q16/A16.
- * Micah Anderson
- - np-mail-server: Added smtpd_banner to postfix configuration to hide the
- OS of the system.
+ - np-mail-server:
+
+ . Moved "check_helo_access hash:$checks_dir/helo_checks" from the
+ smtpd_helo_restrictions block to the smtpd_sender_restrictions block
+ because a client has to EHLO before it can SASL authenticate,
+ so SASL SMTP AUTH'd clients who should be allowed to HELO as
+ the host would get the "Helo command rejected: You are not in domain
+ <domain.name>" error. Also moved the
+ permit_sasl_authenticated higher up in the smtpd_sender_restrictions
+
+ . Added permit_mynetworks to the smtpd_helo_restrictions so machines
+ that are allowed to relay are accepted right away
+
+ . Moved reject_non_fqdn_sender as well as the
+ reject_unknown_sender_domain into the sender_restrictions
+ instead of being in the recipient_restrictions.
+
+ . Added smtpd_data_restrictions and moved
+ reject_unauth_pipelining into that check, as
+ http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes:
+ "For Postfix 2.x versions, reject_unauth_pipelining should always be
+ placed in smtpd_data_restrictions, even if it's the only one you put
+ there." - See FAQ Q16/A16.
+
+ . Added smtpd_banner to postfix configuration to hide the OS of the
+ system.
+
* Marco Presi (Zufus)
- Initial code in DebConf4