[Debian-NP-Commits] r161 - in trunk/packages/debian-np: configs/np-mail-server/postfix debian

micah debian-np-devel@lists.alioth.debian.org
Tue, 06 Jul 2004 20:27:12 -0600


Author: micah-guest
Date: Tue Jul  6 20:27:11 2004
New Revision: 161

Modified:
   trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf
   trunk/packages/debian-np/debian/changelog
Log:
Fixed up the changelog so it is nicer.
Moved the check_helo_access allowance out of the smtpd_helo_restrictions
block of the main.cf for postfix because this keeps authorized SMTP
AUTH'd clients from being able to EHLO as your domain.


Modified: trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf
==============================================================================
--- trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf	(original)
+++ trunk/packages/debian-np/configs/np-mail-server/postfix/main.cf	Tue Jul  6 20:27:11 2004
@@ -236,22 +236,22 @@
 	reject_rbl_client cbl.abuseat.org,
 	permit
 
-smtpd_helo_restrictions = reject_invalid_hostname, 
-	check_helo_access hash:$checks_dir/helo_checks,
+smtpd_helo_restrictions = permit_mynetworks,
+	reject_invalid_hostname, 
 	permit
 
 smtpd_sender_restrictions = permit_mynetworks,
+	permit_sasl_authenticated,
 	reject_invalid_hostname,
+	reject_non_fqdn_sender,
 	reject_unknown_sender_domain,
-	permit_sasl_authenticated,
 	check_sender_access hash:$checks_dir/access,
+	check_helo_access hash:$checks_dir/helo_checks,
 	permit
 
 smtpd_recipient_restrictions = 
 	permit_sasl_authenticated,
-        reject_non_fqdn_sender,
         reject_non_fqdn_recipient,
-        reject_unknown_sender_domain,
         reject_unknown_recipient_domain,
         permit_mynetworks,
         reject_unauth_destination,

Modified: trunk/packages/debian-np/debian/changelog
==============================================================================
--- trunk/packages/debian-np/debian/changelog	(original)
+++ trunk/packages/debian-np/debian/changelog	Tue Jul  6 20:27:11 2004
@@ -2,15 +2,33 @@
 
   * NOT RELEASED YET
   * Micah Anderson
-    - np-mail-server: Added smtpd_data_restrictions and moved 
-      	reject_unauth_pipelining into that check, as 
-      	http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes: 
-      	"For Postfix 2.x versions, reject_unauth_pipelining should always be 
-      	placed in smtpd_data_restrictions, even if it's the only one you put 
-      	there." - See FAQ Q16/A16.
-  * Micah Anderson
-    - np-mail-server: Added smtpd_banner to postfix configuration to hide the 
-	OS of the system.
+    - np-mail-server:
+	  
+	   . Moved "check_helo_access hash:$checks_dir/helo_checks" from the
+	     smtpd_helo_restrictions block to the smtpd_sender_restrictions block
+		 because a client has to EHLO before it can SASL authenticate,
+		 so SASL SMTP AUTH'd clients who should be allowed to HELO as
+		 the host would get the "Helo command  rejected: You are not in domain
+		 <domain.name>" error. Also moved the
+		 permit_sasl_authenticated higher up in the smtpd_sender_restrictions
+		 
+	   . Added permit_mynetworks to the smtpd_helo_restrictions so machines
+	     that are allowed to relay are accepted right away
+		 
+	   . Moved reject_non_fqdn_sender as well as the
+	     reject_unknown_sender_domain into the sender_restrictions
+		 instead of being in the recipient_restrictions.
+		 
+	   . Added smtpd_data_restrictions and moved 
+	     reject_unauth_pipelining into that check, as 
+	     http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes: 
+	     "For Postfix 2.x versions, reject_unauth_pipelining should always be 
+	     placed in smtpd_data_restrictions, even if it's the only one you put 
+	     there." - See FAQ Q16/A16.
+		
+	   . Added smtpd_banner to postfix configuration to hide the OS of the 
+	   	 system.
+		 
   * Marco Presi (Zufus)
     - Initial code in DebConf4